Imagine you’re about to get a Victory Royale in Fortnite, score a deciding goal in FIFA, or defuse the bomb in Counter-Strike when suddenly a message appears on your screen, informing you that you’ve been disconnected.
Wasting no time, you load the game again and discover that a connection can’t be established. Why? Because either you or the game’s servers are under a Distributed Denial of Service (DDoS) attack.
Such attacks are a growing threat in gaming, and we at Tech Magazine had the opportunity to discuss them with Emad Fahmy, Systems Engineering Manager Middle East at NETSCOUT. Here’s what we learned.
What Are DDoS Attacks In Gaming?
DDoS attacks are a type of cybercrime that makes resources unavailable by overloading the network across which they are transmitted with malicious requests. DDoS attacks first appeared in 2010 amid the rise of “hacktivism,” but they have evolved significantly since then, as observed in the NETSCOUT Threat Intelligence Report H2 2021.
”In gaming, DDoS attacks might be directed at a single user or an entire organization,” explains Fahmy. “While an attack on a single user only affects them by slowing down their gaming experience, an attack on an organization can have a greater impact on the game’s entire user base, resulting in a group of disgruntled players who no longer have access to the game or have had their experience significantly slowed.”
The cybercriminals behind the attacks have a variety of different motives, from extorting money from gaming companies to causing reputation damage to preventing competing players from winning out of competitiveness.
Anyone Can Launch A DDoS Attack
To successfully launch a DDoS attack against a game or its players, attackers need to send so many malicious requests at the same time that the victim can’t possibly answer them all without becoming overloaded.
These requests are typically sent by bots, hacked devices (computers, routers, IoT appliances, and so on) that do what attackers tell them to do. Even a relatively small network of bots, or botnet for short, can be used to launch a massive DDoS attack.
These days, attackers don’t even have to hack vulnerable devices to obtain the DDoS firepower they need to take a target down. They can simply take advantage of DDoS-for-Hire services, which provide DDoS attacks ranging from no cost to greater than $6,500 for terabit-class attacks, according to the NETSCOUT report.
“DDoS-for-Hire services have made attacks easier to launch. We examined 19 DDoS-for-Hire services and their capabilities that eliminate the technical requirements and cost of launching massive DDoS attacks. When combined, they offer more than 200 different attack types,” says Fahmy.
Preventing DDoS Gaming Attacks
In 2021 alone, NETSCOUT recorded 9.7 million DDoS attacks, an increase of 14 percent compared with 2019. To reverse this gloomy trend, both gaming companies and gamers themselves need to take it seriously and adopt specific measures to protect themselves.
“Relying on firewalls and intrusion detection systems is no longer sufficient. This is because DDoS attacks can now manipulate or destroy them. Despite advances in cloud-based detection, the company’s Internet Service Provider (or Managed Security Service Provider) may still struggle to identify threats that wait in the shadows until it is too late,” explains Fahmy. “As a result, an on-premises DDoS risk management solution is critical,” he adds.
Individual gamers, especially eSports players and streamers, can make it harder for cybercriminals to aim DDoS attacks at them using a virtual private network (VPN) service like ExpressVPN, CyberGhost, or NordVPN. Such services channel users’ traffic through their servers, hiding its real origin in the process.
In addition to hiding their IP addresses, gamers should also adhere to cybersecurity best practices. Examples include timely installation of software updates and exercising caution when browsing the web, chatting online, or reading emails.
DDoS, or Distributed Denial of Service attacks, represent a serious threat to the gaming industry because they can compromise the gaming experience and expose developers to the risk of brand damage and potential extortion. DDoS attacks have evolved and become far more sophisticated in recent years. Fortunately, the same can be said about on-premises DDoS risk management solutions that gaming companies use to protect themselves.
Big Tech Knows Too Much. More Regulation Is The Answer
Despite claiming otherwise, Big Tech still shares your data with third parties, and the only thing that can stop them is stricter regulations.
It’s 2023, and pretty much everyone has access to the internet. As we’ve become more reliant on the internet and other smart devices, we’ve also grown increasingly accustomed to companies collecting our data in the background. It’s also not uncommon to hear of cases where customer data is being misused. This begs the question, what is Big Tech doing with so much data?
The answer, we’re afraid, is complicated.
Carefully Curated Experiences
You’re probably familiar with the concept of creating a “personalized experience”. You might also be aware that providing a user with a personalized experience involves knowing what their interests are (what they appreciate or dislike), and the best way to find out a user’s interests is, you guessed it, to check their online activity.
Collecting user data to personalize services is ubiquitous on the internet. It’s seen on social media platforms, video sharing sites like YouTube, and even e-commerce platforms like Amazon. These services use your browsing data to recommend content that it thinks you might appreciate, and admittedly, this approach works pretty well. Let’s be honest, no one wants to be bombarded with irrelevant content. People appreciate familiarity, and getting content that they can relate to makes for a far more enjoyable user experience. Plus, it’s these personalized content recommendations that make social media platforms like TikTok so addictive — and profitable.
This form of data collection isn’t such a big deal, so long as these corporations are transparent about what data they’re using and why. However, Big Tech is anything but transparent, and it’s at this point where things can get sketchy.
Rage Against The Ad Machine
We’ve all been there. One moment, you’re looking up gaming laptops on Google, and the next, you’re bombarded with advertisements for gaming laptops on your social feed or during a completely unrelated browsing session. Unsettling? Yes. But how does this work?
The sites or apps that supposedly collect user data to “enhance user experience” also sometimes sell this data to advertisers or other third-party trackers.
Let’s look at Google as an example of how the wider ad machine works. When it comes to the quantity of data being handled, few companies can compare. With a seemingly endless stream of data at its disposal, with sources ranging from Chrome, to Maps, and even Bard, it’s no mystery why. Combine endless amounts of data with the single largest advertising platform, and you get the perfect money-making ad machine.
Real-Time Bidding: A Game Of Half-Truths
Google claims, in no uncertain terms, that it does not sell your personal data. So case closed, right? If only it were that simple.
Technically, Google isn’t lying. If you go by the strictest definition of a sale, where a commodity is exchanged for money, then no, Google is not a data broker and it doesn’t sell your data. However, Google monetizes your data in other ways, which does involve sharing your data with third parties. One such method is real-time bidding (RTB).
So How Does RTB Work?
RTB is a form of programmatic advertising where ad spaces are automatically auctioned off to the highest bidder on a per-impression basis.
Without getting into too much detail, when a user begins a session on a particular page, their data (including location and browsing history) is collected and broadcasted by supply-side platforms (SSPs) to a group of demand-side platforms (DSPs), which automatically place bids for ad space on that specific session. The winning bid is then displayed to the user. User data is shared here to ensure that only relevant advertisements will be shown to the user during that session. This entire process is automated and takes only milliseconds.
Admittedly, RTB is incredibly efficient as an advertising tool. But it’s unfortunately a questionable practice due to the privacy implications, with some experts claiming that RTB practices violate GDPR principles.
The issue with RTB is that it also involves sharing highly specific data, so while RTB platforms aren’t directly sharing personal data, they most certainly are indirectly sharing data that is detailed and specific enough to tie to a particular user. Furthermore, it’s not just the highest bidder that gets to view this data — everyone who participates in the auctions can. These exchanges have no control over how the broadcasted data is used once the auction is complete. When you put everything together, you’re looking at an ugly combination of potential security risks. What makes things worse is that advertising platforms running RTB auctions are not transparent about what kind of data is being broadcasted.
Coming back to Google, the company can rightly claim that your data isn’t what’s being sold, rather, it’s the ad space within your browser. But, as we’ve already seen, RTBs involve the transfer of personal data. Please note that Google isn’t the only offender in this space. RTB is a common online advertising practice followed throughout the internet, and it’s important to be aware how Big Tech companies use vague language and loopholes to get away with sharing your data while claiming otherwise — directly or not.
Big Tech Is Watching You
Let’s reiterate this: We’re perfectly fine with tech companies using our data to provide us with an improved experience while we choose to use their services, provided they’re transparent about what data they’re collecting and how it’s being used. What isn’t okay is Big Tech getting away with misusing our data using vague jargon and legal loopholes. We can be grateful for data protection regulations like Europe’s GDPR, as well as California’s CCPA and CPRA, and other countries that have followed suit. It’s time for even stricter regulation to crack down on Big Tech’s exploitative business models.