It’s become clear to Mortal Kombat 11 players over the last few weeks that the game’s online modes have some critical vulnerabilities. Netplay competitors have been subjected to numerous attacks, including distributed denial of service (DDoS) targeting that makes matches unplayable and has apparently even exposed IP addresses, a particularly heinous problem that has led to at least one streamer being threatened by someone who was able to learn their home address.
Online competition is a huge draw of most modern fighting games, and Mortal Kombat 11 has further prioritised play with the recent addition of Kombat League, a seasonal ranked mode that allows players to earn in-game rewards by completing challenges in online matches. But, as is often the case in online games, some users have had run-ins with unscrupulous opponents who are cheating the system. In this case, the cheating involves using third-party tools to make the game so unplayable that the other player is forced to disconnect and surrender ranking points to the hacker.
DDoS attacks are serious business. The continuous, heavy stream of information they send to servers can do anything from slowing down to completely knocking out internet access. It’s also not legal. Recently, a man in the U.S. was sentenced to 27 months in jail and ordered to pay $US95,000 ($140,542) in restitution for his part in a wave of DDoS attacks launched against Sony Online Entertainment between December 2013 and January 2014. The maximum charge for such an attack tops out at 10 years in prison and $US250,000 ($369,848) in fines.
When it comes to Mortal Kombat 11, a player using a DDoS attack can slow their opponent’s game to a crawl and can even boot players off the internet entirely. In a popular video first covered by Eurogamer, YouTuber sikander555 shared footage of a player named pa3com supposedly initiating a DDoS attack on the character select screen, forcing sikander555 out of the match without even throwing a single punch.
The video description claims that the pa3com account had at some point changed its name to Son-Goku-DZ, and according to Eurogamer, this account was at one time climbing up the game’s leaderboards. A quick peek at the Mortal Kombat 11 leaderboards at the time of this writing shows that Son-Goku-DZ is no longer an Elder God, which is the highest rank in Kombat League, so some of this player’s fraudulent wins appear to have been removed from the account.
A much scarier incident played out on Twitch back in July when streamer BelowZer0 found himself on the other end of an apparent doxing as well as a DDoS threat from a defeated opponent. Upon defeating a player named Goddess0fBl00d23, BelowZer0 was inundated with threatening messages from them, a few of which purportedly included proof that Goddess0fBl00d23 knew his home address.
Further messages provided by BelowZer0 show Goddess0fBl00d23 threatening to “fry” BelowZer0’s internet, a move that BelowZer0 said was successful. While it’s unclear if Goddess0fBl00d23 was able to obtain BelowZer0’s home address with information gleaned from Mortal Kombat 11 or simply through a bit of Google sleuthing, it does appear that something about the game’s servers leaves players open to these types of attacks, a vulnerability that may have serious consequences in the real world.
NetherRealm Studios released a statement yesterday acknowledging these attacks and promising to “make use of all options available” to alleviate the issue. Whether this means simply banning players who have been found to be involved in any DDoS incidents or actually fixing the vulnerabilities in the Mortal Kombat 11 servers is yet to be seen, so players will definitely want to be careful when they participate in online matches.
Kotaku has reached out to NetherRealm Studios for further comment about how the company intends to approach this apparent vulnerability.