Gaming Operator Gives Account of DDoS Attack

4 December 2003

Many in the I-gaming industry have already learned firsthand about the new cyber-predators. Although hackers have been an inextinguishable pest since even the earliest days of the Internet, not until now has a group used hacking as a technique to launch a powerful and widespread attempt at extorting money from Internet-based companies. The newest tactic, distributed denial of service attacks (DDoS), can completely shut down business service networks, rendering them unable to communicate with their customers, sometimes for several hours.

DDoS attacks are successful because they clog a network's bandwidth with so much incoming traffic that no outgoing traffic is able to escape. After the attack has been launched, a ransom demand arrives via e-mail. Although rumor has it that a few gambling sites have given in to extortion demands, the untold story is that many have been successful in battling attacks.

IGN obtained one operator's account of a DDoS assault on its network. (Because of the sensitive nature of the situation, the operator will go unnamed.) According to the operator, a large part of the defense came from obtaining information from other operators who had earlier experienced attacks.

"We were sent a threatening e-mail on a Friday morning," the spokesman said, "though we didn't receive it until one week later - our mail firewall funnily enough delayed it for whatever reason. The sites were down Friday for several hours intermittently due to the flood of requests.

"Our host responded well and we were able to put them in contact with industry colleagues who had experienced the attack previously. In subsequent weeks, we were able to offer this same support to other industry colleagues who suffered with the same blackmail attempts."

Almost everyone with knowledge of the recent wave of attacks speculates that the Russian mafia is probably responsible, and the operator's experience verifies the plausibility of that speculation. He said, "The attackers demanded $30,000 to be sent via Western Union to Russia by Saturday lunchtime. If it was not sent, they wanted $40,000 before Sunday to make it stop. The attackers pledged to attack every weekend of the year until you paid up, but once paid, suggested you would have 12 months extortion-free (at least from this particular group)."

With its network under attack, the operator turned to its server host to defend it. According to the operator, "We relied heavily on our server host to coordinate the response, which involved blocking spoofed IP addresses, increasing our bandwidth pipe to handle the load, and communicating with our players to keep them informed of the problem. We took the view to be honest with them-- and also all of our employees-- right from the start, and sent out updates twice daily to staff and regularly to players to keep everyone informed. We had a traumatic time online, but our call center was not affected, so we got pretty busy on the phones."

"Saturday was pretty unpleasant but we still posted action at 70% of anticipated levels, which is impressive considering that usually 85% of our business is done online and that was largely unavailable all day (shows the resilience of our staff, and the loyalty of our customers). On Sunday we had the problem more or less under control, but our host had blocked so many IP addresses, and so far up the telecom chain, that even then our activity was only at 95% of expected levels.

"It took us over a week to clean house fully and unblock all the false positive IPs that had been blocked in the attack, but both our own staff, our host, and all the ISPs in between worked around the clock to get us up and running fully again - and we are proud to say we were back stronger than ever just a few days after the attack."

Police authorities, technology providers, and others who have dealt with DDoS attacks urge businesses not to succumb to extortion demands. Like the operator whose account is given above, other business operators can benefit from the experience of others. It is also important to note that there is no guarantee that the attackers will refrain from attacking again in the future.

One technology and services provider who has encountered many several DDoS attacks addresses the problem in a three-fold solution; intrusion detection systems, increased capacity for traffic, and upstream telecommunications relationships. Effectively stopping a DDoS attack requires more than just a single solution in place - the security systems within your infrastructure need to exist at multiple levels. Acquiring enormous amounts of bandwidth is typically not a cost-effective solution and will not guarantee your withstanding the attack, if that is all you do.

There are also a number of companies who provide products to block DDoS attacks. One such company is Riverhead Networks, which uses a Multi-Verification Process with five different modules-- Dynamic Filtering, Anti-spoofing, Anomaly Recognition, Protocol Analysis, Shaping & Rate Limiting-- that work together to address any type of attack. The system not only detects, but also automatically blocks attacks.

Meanwhile, hacker assaults of all types are on the rise. The Financial Times estimates that there were 114,000 computer viruses in January through October of 2003, compared to the 21,000 that existed two years ago. In February 2003 a single virus infected 300,000 machines in just 14 minutes, while in 2001 it took Code Red, the most infamous virus, 26 hours to infect that many machines.

IGN recently learned of a DDoS case in which an online gaming operator's service was down for 30 consecutive hours. Keith Tilley, managing director of Sunguard Services, told the Financial times that a brokerage company can lose up to $6.1 million in just one hour of downtime. In the same amount of time a credit card company can lose up $2.4 million, a retail catalogue sales company can lose $88,000, and an airline reservations company can lose $87,000.

Bradley Vallerius

Articles by Bradley P. Vallerius, JD manages For the Bettor Good, a comprehensive resource for information related to Internet gaming policy in the U.S. federal and state governments. For the Bettor Good provides official government documents, jurisdiction updates, policy analysis, and many other helpful research materials. Bradley has been researching and writing about the business and law of internet gaming since 2003. His work has covered all aspects of the industry, including technology, finance, advertising, taxation, poker, betting exchanges, and laws and regulations around the world.

Bradley Vallerius Website