Last week, a group calling itself DERP launched DDoS attacks on the servers of a number of the world’s biggest games (and games companies). It seemed like an awfully big list of victims for such a simple and ancient form of attack, but as Ars Technica explain, there was a bit more to it than that.
Unlike a standard DDoS attack, which big services like Battle.net and League of Legends would have been able to defeat, the attackers used a new – and obviously incredibly effective – method.
“Rather than directly flooding the targeted services with torrents of data”, Ars explains, “an attack group calling itself DERP Trolling sent much smaller sized data requests to time-synchronisation servers running the Network Time Protocol (NTP). By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly amplify the firepower at their disposal. A spoofed request containing eight bytes will typically result in a 468-byte response to a victim, a more than 58-fold increase.”
According to “DoS-mitigation service” Black Lotus, while this sounds bad, it’s easy to protect against. Though, they would say that, wouldn’t they.
DoS attacks that took down big game sites abused Web’s time-sync protocol [Ars Technica]
Comments
5 responses to “How EA, League Of Legends And Battle.net Were Brought Down”
Brought down is a broad term for what they did, paint it as it is instead of making it sound heroic – How a couple of kids inconvenienced thousands of customers/gamers
Its an Australian thing mate, for some reason we inherently view Criminals in the wrong light.
HI LIBERAL VOTER
DEATH PENALTY FOR HACKERS!
The worst thing about this is every time somebody mentions the attacks or the people who did it, these idiots get off on seeing the chaos they caused.
In reality I think most people just did something else for a few hours. It’s not like your average Gamer only has 1 game to play.
Anyone with nothing better to do – to the point where DoSing seems the best way to spend their time – is a complete and utter loser.