One of the most significant issues facing the online gaming industry is service availability as large-scale Distributed Denial of Service (DDoS) attacks are still an everyday occurrence.

Unfortunately, denial of service attacks have always and will always be a part of the gaming culture, but not every outage is considered malicious in nature. For example, when hundreds of thousands of users attempt to log in simultaneously, it creates tremendous stress on some of the largest networks in the world resulting in a natural flood of users that can cause an outage.  For operators defending these networks, identifying and mitigating malicious traffic during these times can be difficult even for the most advanced team.

The good news is most of these attacks can often be forecast allowing operators time to prepare. In general, what makes target gaming companies attractive to “DDoSers” is their massive user base and potential impact. Criminals will often strategically launch DDoS attacks during a new release, tournament or special promotion because they know there will be an increase of traffic and stress put on the network allowing them to cause the greatest amount of damage and impact the most users.  For example, in October 2018 Ubisoft’s new release, Assassin’s Creed: Odyssey, was targeted on its release day by a series of DDoS attacks that prevented users from connecting to the game’s servers.

Three Types of DDoS Attackers

There are numerous reasons why someone would launch a denial of service attack against an online gaming platform, but most can be categorized into one of three groups.


The first group is known for their trolling antics and a general desire to disrupt another person’s day. Their assaults typically come at the most crucial moments when gamers are looking to take advantage of particular in-game content or bonuses. These events occur on specific dates and times and attackers will deliberately target their DDoS attacks during these set times. This group gets the reaction they are looking for when gamers voice their frustration at the situation and gaming operators over social media.


The second group are those that attack in retaliation. For example, when Blizzard Entertainment banned a large group of users for using automatic triggering and aimbots, the company experienced a DDoS attack in response. This group attacks their targets immediately following the ban and its only goal is to inflict damage to the company directly.

Attention Seekers

The third group of attackers are attention seekers or profiteers.  Their attacks are focused mainly on tournament disruption and booting specific players for profit or stunt DDoS’ing to advertise their services during major release or holidays. By launching these attacks, their mission is to generate profit and social klout.

DDoS attacks aimed at the gaming industry over the last five years has evolved at rapid rates mainly due to the adoption of Internet of Things (IoT) devices by general consumers. Typically, today’s DDoS attacks target the game industry through IoT botnets like Mirai. They produce massive volumetric attacks causing severe problems not only to game operators and their users, but to service providers who will have to absorb the high volume attacks.

These DDoS campaigns are often conducted by attackers that have a basic to advanced understanding of network and application security. If they are unable to flood the gaming servers, they will find another bottleneck or attempting to target upstream providers.

Before the release of Square Enix’s Final Fantasy XIV expansion pack Stormblood in June 2017, the company relocated its servers to provide their users with better service availability and increased optimization. Unfortunately, attackers were still able to identify the locations of the new servers and DDoS attacks occurred in parallel with the release date of the Stormblood expansion. The attacks against the release persisted over several day and eventually escalated from targeting Square Enix’s game servers directly to attacking their upstream providers.

The advanced attackers are also able to consistently change attack vectors in an attempt to defeat modern day mitigation systems. One of the more prominent trends in 2017 was the increase in short-burst attacks, which over time have increased in complexity, frequency and duration. Burst tactics are typically used against gaming websites and service providers due to their sensitivity to service availability among their users. Timely or random bursts of high traffic can leave the targeted organization paralyzed causing a severe service disruption for its users.

Large-scale DDoS attacks and natural floods also have a significant impact on network providers who must deal with pipe saturations as massive volumetric attacks are directed at their clients. This kind of disruption typically leads to high latency and service degradation impacting additional enterprise customers of the ISP as the attack consumes provider resources.

As DDoS attacks increase in volume, they will continue to pose a threat not only to gaming operators, but for network providers as well.

The determination and systematic targeting of these services show how motivated attackers can be. Looking forward, one of the last major releases for the year, Battlefield V, will go live on November 20th. It’s expected that due to high demand, the release could experience latency and service degradation due to natural floods of users or worse, targeted by a series of DDoS attacks. The last release of Battlefield 1 on October 21 2016, was severally affected along with other major services that day by a denial of service attack that was launched against Dyn’s managed DNS infrastructure.

Since these attacks generally occur in sync with the launch of significant tournaments, maintaining and inspecting networks is necessary to defend against these types of attacks. For the online gaming industry and service providers, it’s critical to get into a pattern of auditing their systems ahead of major tournaments and releases so that there is plenty of time to review and make the necessary adjustments if needed to prevent service outages. Most attacks targeting the gaming industry can be forecasted and with proper planning you can ensure service availability for both you and your users.



While bots are a common tool of cybercriminals for carrying out DDoS attacks and mining cryptocurrencies, a recent report found they may also be indirectly increasing the price of your airline tickets.

Distil Research Lab’s Threat report, “How Bots Affect Airlines,” found the airline industry has unique cybersecurity challenges when dealing with bad bots, which comprise 43.9 percent of traffic on airlines websites, mobile apps, and APIs, which is more than double the average bad bot traffic across all industries in which only make up an average of 21.8 percent.

One European airline saw a whopping 94.58 percent of its traffic from bad bots, according to the report which analyzed 7.4 billion requests from 180 domains from 100 airlines internationally.

Cybercriminals launch bots to compromise loyalty rewards programs, steal credentials, steal payment information, steal personal information, carry out credit card fraud, and to launch credential stuffing attacks.

When threat actors infiltrates loyalty programs they can potentially shake customer confidence to the point where they no longer use the airlines.

“Once a customer has been locked out of their account by a criminal changing their password, the airline has a customer service problem to solve,” the report said. “The forensics to investigate what happened inside the account is time consuming and costly.”

Researchers added that the costs of reimbursements for the damages are also a negative impact of these bad bots.

The only industry which had a worse bot problem was the gambling industry with an average of 53.08 percent of its traffic coming from bad bots.

These malicious bots are working around the clock in the airline industry as their activity appears consistent every day throughout the week except Friday when there is a peak in traffic. The majority of the traffic comes from the USA as it’s responsible for 25.58 percent of bad bot traffic worldwide, followed by Singapore in second place with 15.21 percent, and China in third with 11.51 percent.

Researchers also learned that of the nearly 30 percent of the domains they reviewed, bad bots encompassed more than half of all traffic with 48.87 of bad bots reportedly using Chrome as their users’ agent.

Not all bots are evil however, some of the bots are used by travel aggregators such as Kayak and other online travel agencies to scrape prices and flight information or even competitive Airlines looking to gather up-to-the-minute market intelligence but even these can hassles.

Some of these unauthorized (OTAs) however may use bots to scrape prices and flight information seeking to gather ‘free’ information from the airline rather than pay for any associated fees by entering into any commercial arrangement requiring a service level agreement, researchers said in the report.

To combat the bad bots, researchers recommend airlines block or CAPTCHA outdated user agents/browsers, block known hosting providers and proxy servers which host malicious activity, block all access points, investigate traffic spikes, monitor failed login attempts, and pay attention to public data breaches.


The election race for the governorship of the state of Georgia promises to be tight, with current estimates showing that Democrat Stacey Abrams and Republican Brian Kemp are in a statistical dead heat. Unfortunately, Georgia is also one of five states that continue to use fully electronic voting with no verified paper ballot trails, raising the specter that, if inconsistencies arise, voters could lose confidence in the result.

Like many companies, the state is behind in implementing good cyber-security measures and having good visibilities over their assets and vulnerabilities. One example: Officials in the Kemp’s office—he is also Secretary of State in charge of elections—used an internet-connected computer to load memory cards containing the voting-system software, potentially giving attackers a pathway to compromise election machines. Over the weekend, the Democratic Party of Georgia pointed out critical vulnerabilities in the election website that Kemp’s office had ignored.

The fact that the all-electronic voting machines do not create paper ballots or some other way to audit the system means that such vulnerabilities could impact the vote, or at least voters’ confidence, Marian Schneider, president of the nonprofit Verified Voting, said during a press briefing on election issues.

“That is a huge risk of attack,” she said. “The takeaway here is, yes, it is a risk, it is not a certainty, [we] can’t get the risk down to zero, but [the problem is] if something happens, it will be very hard to detect and it will be impossible to recover from it.”

As Americans head to the polls this week, Georgia’s travails underscore the cyber-security complexities of conducting elections on a budget, but its efforts—and the efforts of other states—also hold lessons for companies. The threat landscape for elections differs from those faced by most companies but should underscore the multiple pathways to compromise that most companies face.

“There is one thing for sure—we can learn a lot from this election,” said Srinivas Mukkamala, CEO of RiskSense, a cyber-threat management firm. “Trust, misinformation, cyber-physical systems, and whether this is this a lot of FUD [fear, uncertainty and doubt] or are we trying to solve a real problem?”

While a lot of potential attacks are ones commonly seen by companies—such as phishing, denial-of-service and database-injection attacks, such as SQL-command injection—the threat landscape faced by election officials also demonstrates other, less popular methods of compromise.

Here are five lessons that companies can learn from the current election security landscape.

1. Trust is valuable, so disinformation is a danger.

In May, election officials in Knoxville, Tenn., faced a nightmare: Minutes before the primary election results would be posted online, a denial-of-service attack crashed the county’s server. While the issue did not affect election results, it did cause citizens to question whether the integrity of the election was compromised, according to a news report in Vox. Attackers also used the chaos to slip into the election tally system and view the code, according to the report.

Such attacks undermine trust in election systems, as does disinformation pushed through fake accounts on social media. The infrastructure for such propaganda is enormous: Twitter removed 90 million suspect accounts in May and June, a pace that seems to be continuing.

“When you go to a restaurant, you assume that the health department has been in there—you would not buy food by some person on a street corner because there is no sense of trust,” said Shawn Henry, president of services and chief security officer for cyber-security firm CrowdStrike. “But people are consuming media every day without knowing the source.”

Companies should look to their brand on social media to keep consumer trust in their products. In addition, service disruption should be considered as a significant risk. Attacks on both can undermine consumer confidence, Henry said.

2. Physical security is important.

At the DEFCON hacking convention in August, a group of voting-security activists taught kids techniques for hacking voting machines and tabulating systems. Among the problems found: A system used in 18 states could be hacked in two minutes by picking the lock and using a program to load malicious software onto the system.

“[I]t takes the average voter six minutes to vote,” stated a report on the results. “This indicates one could realistically hack a voting machine in the polling place on Election Day within the time it takes to vote.”

Companies need to worry about insiders having physical access to systems. Many adversaries will try to get someone hired into a company, use a contractor to gain access to sensitive areas or co-opt someone already working for a company, said CrowdStrike’s Henry.

“If you are looking at comprehensive nation-state programs, they are looking at the physical aspect,” he said. “That’s not speculation. It is happening.”

3. The most obvious hack is not the most dangerous.

Because election machines are, usually, not connected to the internet, many election officials consider them to be safe. As Georgia’s election officials learned, however, there are other ways to attempt to compromise such systems.

In a court case filed in 2017, voting-security experts revealed that sensitive information on Georgia’s registered voters had already been downloaded from a purportedly secure database, that officials in the Secretary of State’s office used an internet-connected computer to load memory cards containing the voting-system software, and that the voting machines could be hacked without even being connected to the internet by installing software onto the USB memory stick.

Yet, in September, a U.S. district court judge ruled that there was not enough time to fix the issues and so allowed Georgia to continue using the all-electronic systems.

Companies should conduct threat modeling exercises to identify overlooked avenues of attack. In addition, third-party suppliers and contractors need to be evaluated as potential sources of risk, said RiskSense’s Mukkamala.

“It is not just a need to understand your own systems—you have to understand your vendors and their systems,” he said. “The unfortunate situation is that most of the election vendors are not very sophisticated in cyber-security. Often, small third-party suppliers are similarly unsophisticated.”

4. Have a crisis plan.

Because misinformation and denial-of-service on election officials’ pages can undermine trust in election systems, officials need to have a crisis response plan in place. Having such a plan in place was the primary recommendation of the DEFCON Voting Village 2018 report, which pointed to the publication of false election results in Ukraine and distributed denial-of-service (DDoS) attacks on industry and election sites as potential threats.

“Organizational leaders should anticipate what conditions might be created by a cyber attack on their systems … and create a plan for how to communicate with the public and other stakeholders under such conditions,” the report recommended. “This plan should be part of a local or state government’s overall emergency planning.”

5. When nation-states are involved, organizations need help.

The May attack on Knox County election systems, the massive efforts of the Internet Research Agency in Russia, and continuing attacks and probes on states’ election systems underscore that nation-states are looking to disrupt U.S. elections and deepen the divides between parties.

Companies have dealt with similar attacks for at least a decade, but defending against such well-resourced attackers is difficult. Both election systems and businesses need government collaboration to better defend against such attacks, said CrowdStrike’s Henry.

“All organizations need to understand that there are nation-states that are interested in their information,” he said. “It also provides an asymmetrical threat. There are nations that can impact the U.S., and they don’t have the weaknesses that we have.”

With the latest evidence showing not just Russian operatives targeting the U.S., but also attackers from Iran and potentially China running their own operations, the U.S. government is doing more to protect election systems and companies.

“Our adversaries are trying to undermine our country on a persistent and regular basis, whether it’s election season or not,” Christopher Wray, director of the FBI, said in an August briefing on election security. “There’s a clear distinction between activities that threaten the security and integrity of our election systems and the broader threat from influence operations designed to influence voters. With our partners, we’re working to counter both threats.”


Kaspersky Lab has noticed an overall decline in the number of DDoS attacks this year, which may be due to many bot owners reallocating the computing power of their bots to a more profitable and relatively safe way of making money: cryptocurrency mining.

However, there is still a risk of DDoS attacks causing disruption, despite attackers not seeking financial gain.

The Kaspersky Lab DDoS Q3 report marked a continued trend in attacks aimed at educational organisations, as they open their doors after a long summer and students head back to school.

Attackers were most active during the third quarter in August and September, proven by the number of DDoS attacks on educational institutions increasing sharply at the start of the academic year.

This year, the most prominent attacks hit the websites of one of the UK’s leading universities – the University of Edinburgh – and the US vendor Infinite Campus, which supports the parent portal for numerous city public schools.

Analysis from Kaspersky Lab experts has found that the majority of these DDoS attacks were carried out during term time and subsided during the holidays.

More or less the same result was obtained by the British organisation Jisc.

After collecting data about a series of attacks on universities, it determined that the number of attacks fell when students were on holiday.

The number of attacks also decreases outside of study hours, with DDoS interference in university resources mainly occurring between 9am and 4pm.

Overall, between July and September, DDoS botnets attacked targets in 82 countries.

China was once again first in terms of the number of attacks.

The US returned to second after losing its place in the top three to Hong Kong in Q2.

However, third place has now been occupied by Australia – the first time it’s reached such heights since Kaspersky Lab DDoS reports began.

There have also been changes in the top 10 countries with the highest number of active botnet C&C servers.

As in the previous quarter, the US remained in first place, but Russia moved up to second, while Greece came third.

Kaspersky DDoS protection business development manager Alexey Kiselev says, “The top priority of any cybercriminal activity is gain.

“However, that gain doesn’t necessarily have to be financial. The example of DDoS attacks on universities, schools and testing centres presumably demonstrates attempts by young people to annoy teachers, institutions or other students, or maybe just to postpone a test.

“At the same time, these attacks are often carried out without the use of botnets, which are, as a rule, only available to professional cybercriminals, who now seem to be more concerned with mining and conducting only well-paid attacks.

“This sort of ‘initiative’ shown by students and pupils would be amusing if it didn’t cause real problems for the attacked organisations which, in turn, have to prepare to defend themselves against such attacks,” Kiselev says.


Servers for Square Enix Co.’s popular online game “Final Fantasy XIV” has been hit by a series of cyberattacks since early October, preventing some users from accessing the service, its publisher said Thursday.

The distributed denial of service (DDoS) attacks, in which multiple hacked computers are used to flood the target system, were carried out to an “unprecedented extent” against data centers in Japan, North America and Europe, Square Enix said.

The identities of the attackers are not yet known, although information security experts suspect links to cheap online services that carry out so-called DDoS attacks.

Two major attacks in early October and late October prevented game players from logging in to the service or cut off their connections for up to 20 hours, according to the company.

Square Enix has taken steps against the attacks but the servers were attacked again Tuesday night, disrupting the service for some 50 minutes.

“FFXIV” had previously been subjected to DDoS attacks. A study by a U.S. internet company has showed that some 80 percent of DDoS attacks worldwide are targeted at game services.

“The attacks may have been carried out by people who commit the offense for pleasure, hold a grudge against the company or seek money,” said Nobuhiro Tsuji, an information security expert.

“The attacks have extended over a long period, and, while it is costly, there is no choice but to boost countermeasures,” the expert at SoftBank Technology Corp. said.

In 2014, a high school student in Kumamoto Prefecture was found to have used an online DDoS attack service to disrupt a different game company’s operations after he became frustrated with the way the game services were managed. He was referred to prosecutors the same year.