Gaming – Legitimate vs. Malicious Users

Over the years Radware has followed the evolution of DDoS attacks directed at the gaming industry. For the industry, large-scale DDoS attacks can result in network outages or service degradation and has become an everyday occurrence. In 2016 Lizard Squad and Poodle Corp launched repeated attacks against EA, Blizzard and Riot Games, resulting in service degradation and outages for users around the world.

The main motivation for attackers in most situations is the simple thrill of disrupting game play and tournaments. A secondary motivation is disrupting crucial moments when gamers are trying to take advantage of new expansion packs or in-game specials.

Attackers targeting the gaming industry can range from users who pay for DDoS services to experienced attackers who possess the ability to launch large scale spoofed attacks. Experienced attackers are able to sustain high volumes of attack traffic. The advanced attackers are also able to consistently change attack vectors in an attempt to defeat mitigation systems. These vectors often include SYN floods, ACK floods, TCP reset attacks, UDP floods and fragmented UDP floods. The determination and systematic targeting of these services show how motivated attackers can be to knock a game offline.

[You might also like: SMB Vulnerabilities – WannaCry, Adylkuzz and SambaCry]

Over the last month several gaming companies have been dealing with a series of Denial of Service attacks. Final Fantasy XIV specifically has been dealing with an advanced and persistent denial of service attack that has included changing attack vectors. These attacks that have flooded Square Enix’s networks resulted in intermittent service degradation and disconnection for over a month. Square Enix in a recent statement confirmed that they have experienced a series of attacks from a third party since mid-June. The attacks appear to have started in parallel with the release of the second expansion pack, Stormblood, for Final Fantasy XIV on June 16th. These attacks have now transferred from targeting Square Enix’s game servers to their upstream providers.

DDoS attacks and natural floods on the gaming industry also have an impact on network providers who must deal with potential Internet pipe saturation. As attacks continue to increase in quantity and volume they will not only pose a threat to the gaming operators, but also effect network providers who have to absorb these massive floods of traffic.

One of the biggest challenges for mitigating a DDoS attack against gaming platforms is distinguishing the difference between legitimate and malicious users. Attackers will often launch DDoS attacks during the release of a new title due to an increased load on the network. False positives and false negatives at moments like this can create major problems for gamers and providers. If a gamer’s traffic is falsely identified as malicious, it results in a loss of connectivity for that user. If the traffic is malicious and deemed legitimate, it allows the user to continue carrying out their attack.

Only advanced anti-DDoS solutions can successfully distinguish the difference between malicious traffic and legitimate users. An advanced anti-DDoS solution that includes behavioral analysis and challenge responses allow users to access gaming content during an attack. With a behavioral analysis algorithm, a baseline of application behavior can be established so when an attack is launched the traffic can be compare to the baseline allowing the system to detect and drop suspicious traffic. When looking for a solution, organizations should look for one that can accurately detect attacks in a very short timeframe without denying legitimate users access to network resources.

In addition, a challenge response (C/R) mechanisms can also help prevent malicious traffic from targeting networks. If the source is suspected to be suspicious, a challenge will be presented to the source so it can be determined if the request was legitimate.

Organizations should reevaluate today’s DDoS protection systems, and more specifically, solutions that rely on traditional, rate-based detection methods.


Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center