Mine tend to be outdoors, skiing and sailing are my principals, but I tend to buck the trend. It seems that a large number of people find their hobbies on-line, gaming being one of the principals. A recent survey shows that the U.S. supports about 145 Million gamers and that they spend on the average of about 215 million game hours per day. It is no wonder that the game hosting companies are doing so well. Another survey showed that on-line gamers are split between games that play for points and those that play for money.
I worked with a gaming company a while ago and found it interesting that the biggest concerns for this company were bandwidth and denial of service attacks. The bandwidth concerns I understood, the more bandwidth the more feature rich and life like the game can be. The second concern was a surprise. Apparently when a gamer is disenchanted with a game, in addition to going to another game, he or she finds is necessary to disrupt the game so that other gamers and the gaming company cannot continue that game. Seems childish, but then again I have seen folks drive pickup trucks over ski trails quite possibly for the same reason. In any case, back to this game company and their concerns.
The bandwidth concern was not really a concern at all, bandwidth and high bandwidth devices are easy to come by today and this company had 20Gbps at its disposal in no time at all (and when I left them were using 8 Gbps of that bandwidth on average). The solution to the second concern needed a little more research and had a couple of possible solutions.
Looking at the denial of service mitigation solutions there are three main types – in-line, bypass and cloud based. All three types of systems use basically the same technique to mitigate the attacks. Traffic is monitored and when an attack profile is seen that traffic is scrubbed. Each of the mitigation techniques has its pros and cons.
The in-line systems are typically the least costly per bit protected, they save the attacked server, but do not stop the incoming traffic from clogging the Internet access link. These systems have a fixed throughput and require a load balancer or forklift for scaling to greater throughputs. They monitor and scrub the traffic as it passes through the system. For a couple of vendors, the DDoS protection is added to other functions (i.e. firewalls or load balancers). These devices tend to be easier to setup and troubleshoot as all traffic follows the same path through the system.
The bypass systems are another on-premises solution that is composed of two components, one is the monitor system and the other the scrubber. When traffic matches an attack profile it is detoured to the scrubber for processing. The non-attack traffic proceeds on the direct path. Routing protocols are typically used to create the bypass. These solutions block the unwanted traffic protecting the attacked server, but again do not unclog the Internet access link from the DDoS traffic. The principal advantage is that the scrubber device does not have to be line rate, because it only received traffic that matches attack profiles. The monitoring device can be a purpose built device or an existing firewall or router with flow monitoring capabilities. The separation in function allows this solution to scale without a major change to the hardware. The bypass systems tend to be more complicated to setup and troubleshoot due to the routing involved.
The cloud based systems are the third type of solution available today. These systems operate by routing traffic to a scrubber in the cloud. The solutions vary by how that is accomplished. Some DDoS providers act as the customer’s ISP, advertising the customer’s routes to the Internet and see all the traffic from the Internet. When traffic matches the attack profiles, it is dropped. Traffic that does not match the profile is handed to the customer without delay. One cloud based vendor uses a hybrid approach, monitoring the traffic on the customer’s premises and then diverting the traffic to a cloud based scrubber when attacks are detected. In all these solutions the customer, their ISPs and the DDoS provider have to agree on routing arrangements. These systems are typically pay as you grow arrangements and are a totally managed system as far as setup and troubleshooting is concerned.
With all these solutions the gaming company actually went for the cheapest solution. They decided that they could sacrifice the attacked server. When an attack occurred, they advertised the attacked prefix to their ISPs with the black-hole attribute. This stopped the attack traffic. Considering that they had a virtual environment for the games themselves, they spun up another copy of the game on another server and continued on.
Looking at the level of attacks that are plaguing the Internet today it seems that some folks are making a hobby out of these attacks. Rather than the game servers, attacks are being aimed at the login servers, blocking all users from attaching to the game sites. These companies have been forced off-line and need to install some form of attack prevention systems. It seems that the growth of on-line gaming will help foster a new round of DDoS attack solutions.
It will be interesting to see if those that make a living from attack mitigation can get ahead of the attacker hobbyist.
