Boom, headshot: help your gaming site avoid the devastating blow of a DDoS attack

Regardless of the experience they put out for end users, running an online gaming site isn’t all fun and games. Between rapidly evolving graphics and technology, competition, demanding users and the need for constant site uptime and instant response time, being an online gaming site owner or one of the people tasked with running it has always been super stressful, and it’s only getting worse now that online gaming sites are becoming such a major target for DDoS attacks. The number one target, according to one recent report.

DDoS risk factors

Unfortunately for online gaming sites, there are a few characteristics that make them both attractive and vulnerable to attackers. The first is that need for 100% uptime. If an attacker is going to go to the trouble of launching a DDoS attack, he or she might as well make it count and hit a site that experiences user demand 24 hours a day. A successful DDoS attack on a gaming site will never go unnoticed.

Similarly, gaming sites can’t experience any sort of lag. Games need to respond instantly to user commands and have to facilitate real-time user interaction. Even milliseconds of latency can cause bigtime user dissatisfaction.

The need for constant uptime and instant response time feed into another factor that makes gaming sites an ideal DDoS target: users that aren’t afraid to express their frustration. Gamers take to social media in droves when a game isn’t functioning optimally - more on that in a bit.

There are also a couple of things about online gaming sites that make it fairly technically simple to launch a successful DDoS attack. These sites experience highly predictable spikes in traffic, following new product releases or during gift-giving holiday seasons, for example, and with servers already straining under increased traffic, it’s easy for an attacker to give it an extra nudge with a DDoS attack, knocking it offline or rendering it unusable due to latency.

Online gaming sites also have what’s called a single point of failure in the form of that always-on, always-available centralized gaming platform. With a tightly focused attack, an attacker can do widespread damage.

DDoS antagonists

The attacks on gaming sites can largely be traced back to DDoS for hire services, otherwise known as booters and stressers. According to professional DDoS protection services provider Imperva Incapsula, what booters and stressers offer is the opportunity for the average, not even tech savvy person to launch a DDoS attack against the website of their choice, typically for just a few dozen dollars.

DDoS for hire services are behind the surge of DDoS attacks against online gaming sites for two reasons. The first is the competitive nature of gaming sites. If you’re the owner of a gaming site and you don’t mind getting underhanded and malicious, the temptation of hitting a competing site with a DDoS attack during a peak traffic period for a minor financial investment may prove to be too much.

Secondly, DDoS for hire services are obviously out to make money. What better advertising is there than taking down an online gaming platform at, say, Christmas, waiting for thousands of enraged users to take their frustration to social media, and then claim the attacks as the work of your booter or stresser? Attackers looking for instant internet infamy (cough, Lizard Squad, cough) know this is their number one strategy.

Defensive tactics

The next question is obvious: what can gaming sites do to protect against these threats? The key to limiting downtime and damage is having both a DDoS response plan and professional DDoS protection in place.

To begin formulating your DDoS response plan, perform a thorough risk assessment to identify the scope of your risk. This includes identifying the infrastructure assets that require protection, and estimating the costs that would ensue if an asset were to become unavailable. What are you risking in terms of lost revenue and reputation damage?

A major part of your risk assessment will also be identifying the weak spots in your infrastructure. For online gaming sites, this is usually the gaming servers. You need to look at system redundancy options as well as disaster recovery options that will get you back online, fast.

You also need to put together a DDoS response team. Identify who in your organization will be doing what in the event of an attack. Roles will include identifying an attack, working to mitigate it, coordinating with your ISPs, notifying users and possibly communicating with the press.

Choosing professional DDoS protection services

Due to the plethora of vulnerabilities facing them, online gaming sites have specific requirements when it comes to professional DDoS protection. These requirements include always-on protection and real-time monitoring for the most instant response possible. Another major requirement is transparent mitigation that in no way impacts user experience. The goal of DDoS protection for gaming sites should be users never knowing an attack was even launched.

You’ll also want the ability to implement custom security policies, and you’ll want to strongly consider an enterprise-grade service level agreement for 99.999% uptime.

Additionally, you don’t want to let your DDoS protection focus solely on protecting gaming servers. While the majority of DDoS attacks will be network-level attacks that target the servers, you also need to consider web application protection to protect your HTTP assets including company websites, online stores and community forums. DNS protection is also a necessity, as attacks targeting domain name servers can last for days.

For the good of your site as well as your sanity, get a DDoS response plan and professional DDoS protection in place. Then you’ll be free to focus more on the other things about running an online gaming site that majorly stress you out.