Is this actually a DDOS? Or does SE just have bad servers?
There is no reason to believe it is anything other than a ddos attack
In the last few weeks FFXIV has been kicking people off NA servers with 90k errors, this is confined to NA, and even if there have been some on EU/OCE/JP, it is orders of magnitude less common. There is no logical reason to assume the server software is different in each region, and since it it possible for both JP and NA to visit OCE, that is vanishingly unlikely.
Earlier today, when world first racers were getting 90k's they tried to data center travel to dynamis to raid. The 90k errors then stopped on NA, and started on OCE. Once they gave up and returned to NA, so did the 90k's.
This is as close to evidence of a ddos attack as anyone who doesnt work for square enix can get.
That also means it is provider agnostic, as NTT America does not operate in Australia.
So that's the "how", now for the "why"
In threat modeling, there are two kinds of attackers, rational, and irrational.
Rational attackers are great (well, in terms of prevention), they are easy to understand, and can even be worked with at times, they are typically limited to actual hacking/unauthorized access attacks, but a rational attacker ddos could be "im ddosing you, pay me 3 million in bitcoin and I will stop"
This isnt very likely, as typically those demands are public to put pressure on the target company, but it is possible if they just sent SE the ransom directly... but again, unlikely.
An irrational attacker is FAR more likely, this doesnt mean somebody who is completely insane and has no reason, but someone who cannot be negotiated with, they just want to break things.
If a rational attacker is a burglar breaking into your home, an irrational one is a drunk teenager trying to throw a rock through your attic window.
In this case, I think its pretty clear whats going on. It is someone (or a group) that does not care about money, with no public ransom, and enough resources to repeatedly crash isp nodes (often multiple at a time) they are burning money to bring servers down for no gain. They are also willing to risk felony cybercrime charges (which this definitely counts as).
Now the big question, how do you stop an irrational attacker?
You dont. You hope they get bored or lose interest.
There are some over very high profile mmo ddos incidents, with the most recent famous one being the WoW hardcore classic streamer guild "OnlyFangs"
Whenever they pulled a raid boss, the wow servers went down, it was 100% predictable, there were no exceptions. This wasnt because their guild was specifically cursed and making the servers crash, there was just.... a guy(s) who wanted their characters dead. This only stopped after the streamers decided to stop playing hardcore, because it was hurting the game for everyone.
Possible culprits
Literally anyone with money, I suspect based on timing its someone who really wants NA to lose the world race? but it could also just be someone who wants to hurt FFXIV's reputation, and messing up the world race is the easiest way to do it
But why is it only ffxiv?
It isnt, its just that taking down any game costs a lot of money, so its very rare, even if you are just running a server for a few friends, you could be ddosed, it would just cost them far more to kill the server than it costs you to run it.
There are obviously DDOS solutions, but they really only work for website, and the solution for something that needs server connection is an active and ongoing problem, its (part of) why so many competetive games switched to peer-to-peer hosting, if you kill the host it only affects that one game, not the entire server.
Some more recent examples of non-ffxiv games taken down by ddos
Albion online, basically unplayable for several weeks in early summer last year after a mass ban of rmt accounts
World of warcraft earlier this week, im not sure why, but blizzard publicly acknowledged the cause on the launcher
League of legends also earlier this week, actually no clue on this one either
None of this is confirmed, I am just a third party with no insights into SE internals, using my experience with devops and cybersecurity to put pieces together
submitted by /u/Rauvagol[link] [comments]
Continue reading...