The Distributed Denial of Service (DDoS) attack landscape has been rapidly changing over the past few months, with the level of sophistication of attack vectors increasing almost daily. Online facing companies, especially those in the gaming sector, need to keep up before they get permanently crippled by this new wave of attacks. These attacks have been targeting popular community servers for games such as CS:GO and Garry’s Mod and causes frustration to players and the communities alike.
So what is it about these new attacks that makes them so dangerous?
Recently we have seen a rise in application specific (layer 7) DDoS attacks targeting our gaming network. In particular these attacks are mimicking legitimate player traffic. This can cause major headaches for mitigation experts trying to determine a “bad” packet from a good one. Moreover, unlike traditional volumetric attacks, which attempt to overload the hosts network (fill the pipes), these attacks are very small ~50 – 500Mbit and 100KPPS – 1MPPS and rely on the application itself being overloaded by “attack packets”.
Deep dive into the Attack
Firstly we need to understand a little about these games, particularly A2S or (Source Query Traffic). Without going into too much detail, this protocol allows for the player and server to communicate and authenticate.
Let’s have a look at the payload of an attack packet, and a real packet side by side so that you can understand the level of sophistication involved. This information was gathered from our Corero mitigation devices.
Attack Source Packet:
Payload: ffffffff-54536f75-72636520-456e6769-6e652051-75657279
Packet Length: 71
TTL (time to live): 111
Real Source Packet:
Payload: ffffffff-54536f75-72636520-456e6769-6e652051-75657279
Packet Length: 71
TTL (time to live): 115
As you can see, there is no difference between the packets at all, moreover the length of the packet and TTL (time to live) are all being mimicked (within normal traffic ranges) to appear legitimate.
In traditional attacks (volumetric), this wouldn’t cause an issue as the attack is so small and wouldn’t overload the connection to the server or backbone networks. However, the issue arises in the fact that the CS:GO (and other source games) applications accept the traffic and process it without questioning if it is legitimate or not. This results in the hosts machine ‘spiking’ in CPU usage as the application is trying to process the hundreds of thousands to millions of “bad” packets flooding it. This affects just the one server and causes “Choke”, “Var” and high latency in the game, since just that one services CPU core becomes overloaded.
SRCDs Application Under attack:
System CPU Usage:
So what can be done?
In order to prevent attackers bypassing our new mitigation rules, we won’t be able to provide exact details on how we’ve gone about stopping these attacks. We will however provide some basic insights into how we implemented them.
This is where the importance of onsite highly advanced DDoS mitigation appliances come in. In the case of Streamline Servers, we utilise an international setup of the NTD devices from Corero, they provide us with the ability to investigate and mitigate new attacks on the fly.
Using the dashboard we are able to see the traffic flowing towards the attacked IP in real time.
As you can see there are a number of very large spikes in the packets targeting the service IP, this usually indicates a DDoS attack, let’s dig a little deeper and see what the packets were.
Looking at the payload (udpdata) at the time of the large spikes, we see the following, a clear indication of a A2S / Source Query attack payload. Now how do we go about stopping this attack? The easy and obvious answer would be to simply block the entire payload, however as we mentioned previously this is legitimate traffic as well. Blocking the entire payload would result in no players being able to join the service as well, effectively doing exactly what the attackers want done.
UDP Data:
TTL:
Packet Length:
This is where we can’t provide more detail, as it would expose too much of the new attack vector rules we put in place. All that we can say is that the new rules name is “syd_A2SGETSUM” and is currently deployed across our global network.
We hope you enjoyed this deep dive into the changing landscape of attacks, let us know if you’d like to see more of these casual but hopefully informative blog posts.
Monday, October 8, 2018