This isn’t the first time that attackers have targeted Blizzard, the developer who created and maintains World of Warcraft, with a DDoS attack. In fact just last year, federal prosecutors sentenced a Romanian hacker to a year in prison for an attack they launched back in 2010. DDoS attacks against video game services have always been a popular high-profile, low-skill method for gaining “hacking cred.” The hacker collective known as Lizard Squad for example, famously attacked the online gaming networks of Xbox Live and PlayStation Network on Christmas back in 2014.
While more often than not, attackers target video game services simply “for the lulz,” meaning just in an effort to anger users, there is reason to believe these latest attacks against Wikipedia, Twitch and WoW were a business decision. Late into the first day of the attacks, the Twitter account claiming responsibility made a public solicitation for DDoS mitigation services to Blizzard. Additionally, a botnet capable of simultaneously taking down every server for one of the most popular massive multiplayer games could be worth a fair bit of money if rented out as a service, something we’ve seen before.
While there are next to no details available about how the attackers managed to amass enough traffic to execute their attack, we can draw a few conclusions from some of the evidence available. Blizzard’s DDoS mitigation on Sunday blocked access from nearly all Linux-based users. This indicates the attack likely originated from Linux-based systems, probably similar to the infected IoT devices or consumer routers that fueled the Mirai botnet three years ago. Linux-based WoW users found they could only connect back to Blizzard’s servers after manually modifying network Time-To-Live (TTL) settings, which controls how many “hops” a network packet can take before it is discarded by a router. Different operating systems have different default TTL settings so it makes sense that Blizzard could fingerprint potentially malicious traffic and drop it by inspecting the packet TTL header.
As for the identity of the attacker, that might be more difficult to uncover if they did a good enough job of covering their tracks. Evidence points towards them being based out of the UK or a neighboring country. While their Twitter handle (UKDrillas) could be a red herring, the attack pattern matches someone who was most active during normal UK hours. Additionally, the attacker had trouble identifying the US-based IP address for several servers, indicating they were not local.
If you followed the incident as it was unfolding, you might have seen some overzealous gamers identify who they believed the attacker was based off of a YouTube playlist sharing the name of the Twitter account. While law enforcement is likely already looking into the possibility, it’s important to remind people not to jump to early conclusions and harass individuals based off of uncorroborated evidence. Recently, people who DDoS video game services do not have a good track record of staying out of jail. There is a strong possibility the attacker slipped up and will be identified, but that process should be left to the authorities and experts.
Either way, as of Monday, all of the originally affected services are back online for the majority of people. If you are a WoW gamer that plays on Linux (hats off to your persistence), check out the Blizzard forum post linked earlier in this article for tips on getting your game back online. As for everyone else, keep on the lookout for additional DDoS attacks from the same botnet in the coming weeks.