When a gaming provider is taken offline it frustrates hardcore users and damages the company’s reputation. Because availability is of such primary importance to gamers, these firms are frequent targets for attack.
“With distributed denial of service (DDoS) attacks continuing to grow in scale and frequency, and increasingly being used to disguise other forms of cyber-crime, gaming companies need to find ways to minimise the damage these attacks cause. If they don’t, or can’t, attackers will keep coming back in the future,” says Tom Bienkowski, director of product marketing at Arbor Networks, the security division of Netscout.
He relates the events of a market-leading provider of video-streamed gaming solutions that suffered a DDoS UDP flood attack, which overwhelmed its high transaction environment that runs 24/7/365 – and is the sole source of their revenue.
Prior to the attack, the company had proactively engaged a managed security service provider (MSSP) to protect the availability of their service. It recognised the threat DDoS represented to its business and was proactive about implementing a solution.
“That’s the good news,” continues Bienkowski. “The problems began when the company implemented just part of a best-practices DDoS strategy, relying completely on cloud-based mitigation, with no on-premise solution to help identify or mitigate the attack themselves.
“The issue wasn’t just a technology gap – in fact, it was also an all-too-human disconnect between professionals working at a service provider and those working inside the customer.
“When the attacks began on a Sunday morning, it took the company 20 minutes to connect with someone cleared by the MSSP to initiate mitigation. It took another 20 minutes to get all parties, both at the gaming company and at the MSSP, on the same conference call, just to start identification of the problem and mitigation processes.”
Finally, after 90 minutes and USD1.7 million in lost revenue, the network was back online. That could mean game over for some organisations. Bienkowski points out that this downtime was like a magnet to attackers.
“Typically, when attackers target a company, they attack continuously for a certain period of time and then assess whether their actions are having the desired effect. Once a successful ‘mark’ is identified, unless the targeted company adjusts its defensive strategy, they will continue to get hit. They can expect a ransom/ DDoS extortion message in short order,” he says. “In this case, after the first successful Sunday morning attack, the attacks continued on successive Sunday’s, resulting in frustrated clients and damage to the company’s reputation.”
Fortunately, the gaming company had more time left on the clock and took further action after realising they had deployed an incomplete solution. After reviewing incidence response processes for both internal and service provider staff, the company decided that they could not rely exclusively on a cloud-only DDoS solution. Instead, they chose to add an on-premise solution to supplement their cloud-based protection.
The gaming company felt like it had some control back, they had a solution they could use to defend themselves, and call for more help in the cloud if needed.”
Bryan Hamman, territory manager for Sub-Saharan Africa at Arbor Networks, says that these attacks are not isolated per region and operations in Africa especially are becoming the target for successive attacks and realising that they don’t have the leisure of time when protecting their bottom line and reputation. He says that for this reason more and more clients are opting for an on-premise purpose built DDoS protection solution that is deployed at the network perimeter.
“Arbor APS can for instance disrupt botnet communications and detects and blocks application-layer DDoS attacks, including those specifically designed to compromise stateful inline tools like firewalls, IPS devices and load balancers. And in the event that the on-premise Arbor APS device detects a large DDoS attack that will overwhelm the local Internet connection, via a powerful feature called Cloud Signalling, it can automatically contact the upstream/in-cloud MSSP and reroute the attack traffic to their scrubbing centre,” says Hamman.
The abovementioned is also known as true hybrid protection – and industry best practice for the most comprehensive protection from the modern day DDoS attack.
Soon after the network and security team at the gaming company started using the Arbor APS on-premise solution (right out of the box, with no custom configuration), the Sunday morning attacks stopped because they were no longer successful. The attackers saw the change in defences and moved on to easier targets.
“Even with forward thinking strategic planning and a solid understanding of risk and the threat landscape, mistakes were made. Best practice hybrid defence wasn’t implemented, and the teams hadn’t practiced their response, feeling as though that was their MSSP’s job. But the reality is that like in most games, it’s a team effort and practice makes perfect,” concludes Bienkowski.
“Today, finally, after a sometimes painful process of learning and adjustment, they have a best practice hybrid defence in place on-premise and in the cloud, and they regularly practice incident response processes and procedures. Attackers who target their environment today are quick to learn that they have better odds elsewhere.”