New releases in the online gaming industry are highly anticipated events. Millions of gamers anxiously waiting to leap onto a shiny new game service is an irresistible target for hackers—with bragging rights being the prize. But for the gaming companies, suffering a DDoS attack is a disaster with immediate loss of revenue, mitigation costs and long-term consequences for their brand. Fortunately, new approaches to security based on multi-dimensional analytics and traffic modeling using big data are changing how this game is played.
The DDoS danger
Global gaming companies build excitement with big, heavily-marketed release dates. This brings millions of players online at the exact same time. During these traffic surges, gaming companies also see a surge of distributed denial of service (DDoS) attacks. Being able to surgically shutting down the attacks without disrupting service is critical.
Successful DDoS attacks can have immediate revenue implications, but more importantly, they hurt their customer base—and even a small number of grumpy gamers can do a lot of damage to the brand online. Growing the player base is essential for having a healthy game launch, especially in the highly competitive gaming industry. So losing customers due to an inaccessible service or bad PR can have serious consequences for any game — just look at Diablo 3, which took years to recover from its self-inflicted “Error 37” fiasco.
Gaming companies generally operate worldwide, serving millions of users. To avoid latency, they distribute their platforms onto multiple region-based servers. DDOS attacks can attack all or some of these servers concurrently, or can focus the attack on different layers of the service to weaken it to the point of being unusable.
A multi-vector attack might, for instance, use hijacked Internet of Things (IoT) devices reprogrammed to participate in the attack as well as hundreds of cloud servers with 10 Gbps uplinks to launch a simultaneous TCP/IP attack, as occurred in last year’s infamous DYN attack.
The outdated defense
Hardware mitigation solutions were not designed for the cloud and IoT era and are, unfortunately, too simplistic to keep up with these types of sophisticated threats.
When gaming companies suffer these DDoS attacks, the current common defense is to backhaul all traffic suspected of being infected to a scrubbing center where racks of purpose-built mitigation machines clean it in a single pass through. Attack detection starts with a baseline measure for what constitutes “normal” and then looks for anomalies, such as sudden large spikes in traffic. The affected traffic is then re-directed and backhauled to the scrubbers.
There is nothing elegant about this approach; it is slow and it suffers from a lot of false positives, meaning the unnecessary backhauling of large amounts of uninfected traffic. The detection hardware lacks the raw compute power required to perform the additional analytics needed to separate out the false positives. And, as the scale of DDoS attacks escalates, these inefficiencies become increasingly costly to gaming companies, since the system has to spend resources fighting phantom attacks, instead of identifying and dealing with other attack vectors.
A more efficient solution
A more elegant and faster approach exists using software-based multi-dimensional analytics, making detection more precise. They combine real-time network telemetry with advanced network analytics and other data such as DNS and BGP (among others) to see down to the source of attack traffic in real time.
Multi-dimensional analytics provide visibility into cloud applications and services and can instantly identify where the traffic is originating, determining whether it is friend or foe. Additionally, big data approaches to traffic modeling can help compare a potential event to past attack profiles and be more precise about what degree of variability from ‘normal’ is OK.
Armed with this kind of analysis, it becomes possible to create simple, effective filters at the peering edge of the network for the zombie PCs, IoT devices and/or cloud servers that are carrying out the attack. The offending traffic doesn’t have to be sent to the scrubbers; it is simply blocked at the edge. And every vector of the attack can be identified, pinpointing the attack endpoints and allowing for surgically precise mitigation. The ability to identify the endpoints of the attack in real-time means that rapidly changing attack vectors can also be identified and counteracted as the attackers attempt to play cat and mouse with network security operations.
This is a high stakes game that is escalating with the spread of inexpensive, insecure cloud services (<10 GB) and IoT devices. DDoS botnets have evolved beyond infecting PCs and now use IoT devices and Linux servers in the cloud. This new arsenal of weapons is giving hackers a completely different level of power than they’ve had before.
Fortunately, software security solutions built around deep network analytics and big data techniques are also game changers. For those gaming companies that have employed them, they can meet the threats with confidence, for now, with the winning approach.
Naim Falandino is Chief Scientist at Nokia Deepfield with expertise in real-time analytics, machine learning, and information visualization.