10 November 2022
How to increase the stability of gaming services against DDoS attacks
It often happens that customers of DDoS protection services believe that just by connecting to these services they are fully protected. Unfortunately, it is not quite right: DDoS protection is not magic or a superpower, and in order for it to work effectively, the services themselves must have sufficient immunity against DDoS risks.
We call this immunity “protectability” - by this term we define the property of Internet resources to be resistant to DDoS attacks with minimal investment of money, time and effort.
In this article we will discuss how to increase the protectability of gaming services that actively use TCP and UDP protocols. And we should note right away that almost everything we will talk about will also apply to many other online services where interaction with users takes place in a mode as close to real-time as possible. In particular, our recommendations will help protect online services in the Internet of Things (IoT) and the Industrial Internet of Things (IIoT) that run on TCP and UDP.
Specifics of service protection
Gaming services are usually quite complex multicomponent software complexes. Often, their complexity is the unavoidable reason for the presence of numerous vulnerabilities in them. It can be difficult to isolate from all current cyber risks and build reliable protection against them.
To ensure fast interaction with clients, online games primarily use UDP and TCP protocols, which creates additional difficulties for anti-DDoS service providers. In particular, not all of them are able to filter UDP traffic. Some providers simply block UDP traffic without even trying to filter out the unauthorized part of the traffic when they detect an attack.
Therefore, choosing a reliable anti-DDoS provider is crucial for protecting gaming services. It is necessary to ensure that the provider is able to filter the service's traffic, including UDP packets (if they are used).
What is a "good" service and what is a "bad" service, or How does the architecture of the service affect its resistance to DDoS attacks
Let us first give two examples of gaming services whose resistance to DDoS risks differs greatly depending on the architecture chosen in the design phase.
The first example, a "bad" service, is a kind of online game based on the UDP protocol. Both the game's website and the server software package are located on the same IP address. After each user request, the website should access its own database - this is how the “game online” stats are calculated. To make the gaming service unavailable, an attacker can sign up as a legitimate user, analyze the traffic, find patterns in it, and then simulate a sequence of packets that resembles the legitimate sequence. And when the attacker's botnet starts to automatically generate fake requests, the gaming service will spend a significant part of its power on processing them, a little more - it will become completely flooded trying to handle the greatly increased traffic, and will become unavailable. At the same time, the website will also become unavailable: since the game server is slow or not responding at all, its backend will not be able to connect to count online statistics, and the queue of processes on the hosting will overflow.
Question is: how easy is it for an anti-DDoS provider to separate the traffic simulated by an attacker from the traffic of legitimate users of this online game? Probably not easy, because the attacker will try to create a completely plausible sequence of packets. It will only be possible to separate this "fake" traffic from legitimate traffic if the activity of individual bots is very high - then it will be clear that the traffic was generated by a bot and not by a person. However, an attacker can easily trick the protection, because in order to take down a gaming service, it is not necessary that each of the bots generates too much traffic, it is only necessary that there are many bots, while the activity of individual bots must not exceed the activity of normal users.
Let us imagine another gaming service that demonstrates the basics of a "good" approach that provides high resistance to DDoS attacks. The main components of this online game are implemented separately: a website, a user authorization service, and a server application. The website and the authorization service use the HTTPS protocol. The server application works in a sophisticated way: Each user has its own set of IP addresses, which come from a pool of IP addresses that, first, are not consecutive and, second, belong to different subnets. The application establishes a TCP connection with several IP addresses at the same time, and when some of them become unavailable, it switches to others. To make sure that the user is exactly one or the other client, the authorization token and the IP address of the user are checked each time the mobile application connects.
With such a scheme, it is very difficult for an attacker who does not know the implementation details of an online game to perform a DDoS attack to disrupt operations. Moreover, it will be difficult for a hacker to fake normal activity.
What needs to be done in the design phase of an online game
The stability and vulnerability of online games to cyber risks are largely determined in the design phase of these software systems. Therefore, we recommend that those who are just beginning to develop online games carefully address cybersecurity issues in the early stages of developing these systems. It is extremely useful to work closely with experts in the field of information security and DDoS protection specialists.
In order to increase the security of gaming services, we recommend consider the following points.
1. Developing a protocol for an online game's interaction with its users, create ways to accurately distinguish legitimate sessions from fake ones. And it would be great if, at the same time, it would be possible to include some markers or tricky, non-obvious rules in the protocol, based on which it is possible to clearly determine whether this user and his specific session are legitimate or not. This interaction protocol and the rules for filtering the packets must be carefully documented and then provided to the anti-DDoS provider so that it can successfully separate legitimate traffic from what the attacker's bots generate.
2. During the design phase, provide as many ways as possible to hide the real IP addresses through which authorized users access the game from unauthorized clients - this significantly limits the attackers' ability to launch DDoS attacks. One of our customers solved this problem by introducing a "hierarchy" of users in their gaming service: once the player reached the 20th level, they were assigned a new game server IP address. The calculation was based on the fact that the attacker is likely to be limited to the IP address assigned to him after authorization at the initial stage, and is unlikely to overcome many levels of the game. Thanks to this solution, the most loyal players did not feel DDoS attacks on the gaming service at all.
3. Do not integrate (“hardcode”) into the program code those IP addresses that are used to access the gaming service to other Internet resources. DDoS protection providers usually provide their customers with their IP addresses. However, if it turns out that the previous addresses are hard-coded, it is very problematic to replace them with addresses assigned by the anti-DDoS provider. It makes more sense to use DNS addressing.
4. Avoid strong dependencies between the gaming service server components and between them and other software systems, such as DBMS. Otherwise, if one of the components becomes unavailable as a result of the attack, the others, having no way to interact with it, may fall into a "stupor" or crash, which, of course, will be perceived very negatively by users. It is necessary to provide for the possibility of regular operation of the components in case other components of the gaming service stop responding to requests.
5. Duplicate access to online game functions as much as possible through different IP addresses from different subnets - this will help reduce the probability of simultaneous failure of the entire gaming service: if an attack hits some IP addresses, it can continue to serve users connected to other addresses.
Despite the fact that the UDP protocol is more convenient for online games, from the point of view of DDoS protection it makes more sense to rely on TCP, as attacks using this protocol are easier to repel. As mentioned earlier, interaction sessions over the UDP protocol are quite easy to spoof, which gives attackers many opportunities for targeted attacks. If you must still use UDP, you should at least provide unique authorization capabilities that the anti-DDoS provider can use to distinguish legitimate clients from the illegitimate ones. For example, you can use pre-TCP authorization.
Perform an audit of the application and its security, assess of the need for DDoS protection and plan its development
If an online game is already in productive operation, then it is necessary to carefully study and document its architecture and operation - this will help the anti-DDoS provider understand how to better build protection. In addition, it is very useful to conduct an audit of the gaming service's information security to identify its vulnerabilities and understand how to cope with them.
The information obtained from the audit will help in planning the implementation and further development of protection against DDoS attacks. It is very important to cover all components of the gaming service, IP addresses used by it, ports and other resources accessible from the outside. The complexity and completeness of the protection coverage is one of the most important conditions for its effectiveness.
Developing a roadmap will help define the sequence of building comprehensive DDoS protection. This will reflect the most important steps to increase the stability of the gaming service against DDoS risks. Connect anti-DDoS services and further strengthen protection. It is important that this roadmap takes into account not only the plans for online game development, but also the current picture of cyber risks and their dynamics. If a gaming service is a component of a larger IT landscape (e.g., owned by a gaming or media holding company), the roadmap and plans for developing the service must be coordinated and aligned with the information security strategy of the gaming operator organization.
And of course, if the gaming service uses not only transport layer protocols (L4 according to the OSI model) but also application layer protocols (L7) - HTTP/HTTPS - then you need to ensure that the anti-DDoS service protects traffic at both the L3/L4 and L7 layers. We also recommend connecting to at least two DNS services, at least one of which must be protected against DDoS attacks - this measure increases the stability of the gaming service against DDoS risks.
Provide the anti-DDoS provider with clear options for filtering attacks
The main function of anti-DDoS services is to filter traffic, i.e., to block the unauthorized portion of traffic and allow the authorized traffic to pass through unimpeded. To make this possible, the anti-DDoS provider must know exactly what signs it can use to determine whether the traffic is legitimate or not. To do this, it is necessary to equip the provider with the appropriate capabilities.
Ideally, as mentioned earlier, the capabilities for filtering DDoS attacks should be envisioned and defined at the design phase of an online game and then documented in detail. If it is an already functioning gaming service, take the time (preferably with the involvement of an anti-DDoS provider) to document in detail the rules and procedure for the service's interaction with its users and then, after analysis, set the rules for filtering traffic.
For an anti-DDoS provider, it is very important that the filtering rules allow allocating and blocking unauthorized traffic with enough accuracy that legitimate traffic is not lost at the same time. In some gaming services, a pre-authorization procedure is offered to verify the legitimacy of users. In this approach, traffic from customers who successfully pass this authorization is considered legitimate. However, to work around such protection, an attacker only needs to learn how to authorize their bots. Other, more advanced gaming services have a set of rules for interacting with legitimate users that not only make it possible to understand quite monosyllabically whether a particular client is legitimate, but also make it very difficult to simulate legitimate traffic that an attacker could use to organize a targeted attack.
Some professional anti-DDoS providers using machine learning mechanisms are able to perform behavioral analysis of activities and build models of the gaming service's normal interaction with its users. And those activities that noticeably exceed the normal model are automatically blocked.
Prepare information for an anti-DDoS provider
After collecting information about the operation of the gaming service and attaching the results of its information security audit and packet filtering rules, you need to submit this information to the anti-DDoS provider. The list of important details for the implementation of online games that do not use UDP coincides with the requirements for DDoS protection of applications running over HTTP/HTTPS; details can be found in this article.
When protecting online games that use UDP, it is also important for an anti-DDoS provider to know which services operate on certain ports, whether there are ready-made protection profiles for them and how relevant they are to the current version of that game, and whether their modification is required. If there are no ready protection profiles or they need to be corrected and verified, the provider will read the traffic in the time agreed with the game owner (for example, in the period with the least player activity), analyze it, draw conclusions and create a protection profile if there was none, or verify the existing one.
Just in case, we repeat: not all anti-DDoS providers are able to filter UDP traffic and can simply block UDP traffic in case of an attack. Some commit to filtering only some types of UDP-based protocols. Therefore, it is very important to check with the provider if they can filter UDP traffic, and if so, if they will handle the filtering of your gaming service's traffic. StormWall, for example, has extensive experience protecting online games from DDoS attacks and successfully configures its services for a variety of UDP-based communication protocols.
Hide from the attacker as much information about your gaming service as possible
A sufficiently experienced attacker, before attacking a gaming service, will try to study it beforehand. First of all, he will try to launch a DDoS attack on the IP addresses of its key components. IP address substitution, which is done when anti-DDoS services are connected, will not help protect against DDoS risks on its own, as IP addresses of Internet resources can be easily obtained using tools available on the Internet. IP addresses can also show up in the headers of SMTP packets used when sending messages and notifications via email. Care should be taken to ensure that the real IP addresses are not visible in SMTP packets or through open ports or other services.
Also, after connecting the protection, you must open access to the online game only through the IP addresses provided by the anti-DDoS provider and block access to all other IP addresses of the gaming service by configuring the firewall properly so that an attacker cannot attack the online game through unprotected addresses.
It would be great if it was possible to hide from the attacker even information that would allow him to understand how successful the attack was, whether it was possible to make the gaming service or its components unavailable.
Disable unused services and close unneeded ports
Having competently conducted an audit of the information security of your gaming service you will certainly be able to understand which Internet services and ports are used and which are not. Those that are not involved in the operation of online games must be disabled or blocked to prevent an attack through these ports and services. Otherwise, an attacker can scan and identify them and then launch a DDoS attack on the gaming service through them.
Don't wait for the attack, we recommend scanning the ports of the server where your gaming service is installed to identify all open ports and close the unused ones. And to reliably block access bypassing protection to all open IP addresses and ports, we strongly recommend using a firewall.
We also recommend making sure that open ports that require external access (e.g. SSH or SMTP) do not expose information about your gaming service or its domain via service banners (usually the domain name is entered in banners by default), because if attackers find out that the open server port is used by your gaming service, they are likely to scan its domain, identify the IP addresses used by your service and launch a targeted DDoS attack against them. You can check the information contained in the banners by connecting to them via Telnet. To change the information in the banners manually, you can use configuration files.
Optimize server components
As mentioned earlier, traffic delays are very critical for online games, so it is very important that they have some power margin - this will help them survive the onset of DDoS attacks and minimize delays when a small amount of illegal traffic has not yet been filtered out by the anti-DDoS provider. Note that even 1% of the traffic left over from a strong attack can have a very strong impact on the gaming service.
There are two main ways to increase productivity. The first is to optimize the game service and the platform on which it is deployed (unless you have direct access to the platform). First of all, you need to analyze the network stack of the operating system and make sure that the network card interrupts are distributed among different processor cores, distributing them manually if necessary. This is necessary to distribute the load more evenly among the processor cores.
The second method, which usually involves additional costs, is to move to more powerful and productive (if possible dedicated) servers, physical or virtual. For this purpose, you can increase or upgrade them, or buy or rent new servers. It is also very useful to provide for the reservation of resources - computer and network equipment, as well as communication channels with the Internet.
A more even distribution of the available address pool among service components, as well as among customers, also helps to reduce the probability of failure in the event of an attack on one or more IP addresses. In addition, it is desirable to provide at least multiple access points to the gaming service: If one of the "access IP addresses" is attacked, it is possible to quickly specify another address in the DNS table. The same applies to the IP addresses provided to the clients: If some of them are attacked, it is possible to provide other addresses to the clients - of course after prior reliable authentication of the clients (e.g. with tokens).
Connect protected DNS services
We have already mentioned the use of DDoS-protected DNS services and their duplication. These measures help to minimize the risks in case of DNS attacks, since DDoS attacks can greatly affect the quality of access to an online game. Today, protected DNS services are offered both by anti-DDoS providers (including StormWall, of course) and by companies specializing in DNS.
Regularly check protection
It is necessary to regularly check the viability and effectiveness of protection against DDoS attacks. First, because the landscape of DDoS risks is changing rapidly: over time the intensity and strength of attacks increases as attackers expand their botnets, develop new methods and tools for conducting attacks, and often collaborate to organize even more destructive DDoS attacks. Second, because your own IT landscape is also changing: new versions of the gaming services and its components are released, the environment is updated, etc. Regular security audits help adequately assess effectiveness, identify and eliminate emerging vulnerabilities in a timely manner.
The most important method of checking the effectiveness of DDoS protection is stress testing. It is usually performed as part of an information security audit and helps to assess the degree of stability of the gaming service against weak DDoS attacks and identify its vulnerabilities. It is very useful to perform it in the future - at the stage of testing anti-DDoS services and after their final configuration and adjustment. Since it is quite possible to use free tools for stress testing, which can be found in the public domain, the cost of stress testing is minimal.
Another, more expensive testing option is to perform a simulation of a DDoS attack on the gaming service, which can be ordered from companies that provide information security services. Experts can help you examine your gaming service and its associated protection, assess its resilience to DDoS attacks, and identify vulnerabilities.
We strongly recommend that you do not limit yourself to security audits on weekdays and during working hours, but also conduct them at times when most employees are likely to be resting: on weekends and holidays, as well as in the evenings on the eve of such times.
Build processes to protect against DDoS attacks
As you know, information security is a process. It is very important that the work to minimize DDoS risks is also built as a process and harmoniously integrated into a more general information security process. Working closely with its sub-processes such as monitoring and auditing, vulnerability management, configurations, incidents, and so on. It is also very important that not only your internal specialists responsible for the support and development of the gaming service, but also representatives of the anti-DDoS provider are involved in this process - this will help to effectively protect your online game from DDoS risks in the long run.
- Lay the foundation for security already in the design phase of the application
- Provide the anti-DDoS provider with clear options for filtering attacks
- Prepare information for an anti-DDoS provider
- Disable unused services and close unneeded ports
- Optimize server components
- Connect protected DNS services
- Regularly check protection
- Build processes to protect against DDoS attacks