About Battle.net/WoW Connection problems - an explanation what a DDoS or DoS is

[Maerad]

Hey guys

About the current attack against blizzard and "why they can't do something".

I know it's more of a technical thing, but because many don't understand what this information means and how blizzard is affected by it or why they can't do much about it, it seems a summary would be good. I'll offer you here an explanation, but I try to keep it quite simple, most players are not that much into IT Tech aside from the current best CPU and GPU.

DoS is "Denial of Service", DDoS is "Distributed Denial of Service". Basically it means, an attacker overloads the server or connection of a specific target to kill it from the Internet.


Flood all the lines!
For a basic example here is something I did back in 1998 or so, what we could call be most simple DoS there is. Everyone back then had usually a modem with like 14.4kbit/s to 56kbit/s. I was in the lucky situation to have an ISDN connection (64kbit/s) and a bit later one of the first ADSL connections with 128kbit/s upload. When a friend of mine was online and I was annoyed from him, I got his IP address over IRC Chat and started my "attack".

I just pinged his PC over the internet with bigger data packets. So he had a 28.8k modem and I used around 40k to hit him (remember, ISDN had 64k, so enough left to keep me alive). My connection was a bit slower then, but he dropped out of the internet 1 min. later. Why? Simply, I overflooded his connection with random shit. And the problem is, you can't protect yourself against it. If you have a firewall, the data packets still get to you, but the firewall will drop them, so your PC won't answer to my ping packet. That means your "upload" won't be affected anymore, but because of the overloaded line, you still get a disconnect.

That means everyone with a faster internet line then you, could drop you out of the internet, if he has your address.


Flood all the ports and servers!
The second way to kill a server is to flood not only the line but the server itself. A usual PC can get connections from Port 1-65535, if you calc in reserved ports maybe 60000. Imagine, if you build up a connection to battle.net, you pc connects to the battle.net server and says "hi, I would like to connect" - Server answers "sure, connect to port 12345 and start the login procedure" . Now the client opens a connection to the port and does it's stuff.

Now there is something like a timeout for the connection. If the client builds up a connection, the server waits some time for answers from the client, before he closes the connection. After all it could be that someone has quite the slow connection so he has to wait OR maybe his software crushed and you have to clear the connection port for new connections.

Makes sense or? Now imagine someone attacks a server with a botnet. Botnets today are not 300 PC's, we talk about millions of zombie pc's attacking at once. If every Client opens a connection and forces the server timeout, in a short time all 60000 ports are gone till the timeout happens. Until then the server can't even respond to your request for a connection, because all ports are full. And after that, other zombie PC's already connect to the now free ports. Not to mention, that the whole server has to do a workload it was never build for and suffers from extreme CPU and RAM usage.

Yeah, I know, there are things like synflood and the example is not how battle.net really works (way more complicated), but it's easier to understand this way. The principle is the same


How does this affect blizzard now?
Blizzard has already a good infrastructure and not only one connection to one Internet Provider, more like 300 connections everywhere. So a DDoS attack with "flood the shit out of the connection" might cap 2 connections, not all. So some people won't have any problems connecting, depending on their routing, others can't connect at all. But if a professional attacker does something like that, you can be sure they have enough zombies to flood like 180 connections at once to the maximum.

The other problem is the server attack itself. Sure, the world servers and login servers are all over the world, but still you need one gateway everytime, and that would be the bottleneck. Now we don't talk about one server - this is usually a whole server cluster with hundreds of servers. But even so, if you flood this gateway with multiple connections and millions of that, even the biggest cluster will fail.

So even if a special security network starts blocking the attacking addresses one after another and does so at the internet provider side (internal blocking for port attacks, external blocking at the line provider itself from random shit DoS), the line still is affected from outages and bad performance.


Conclusion
DoS or DDoS is something you can't really protect yourself from 100%. Believe me, Blizzard has upgraded the tech. to deal with DoS/DDoS, but depending on the attack size itself, you can't defend against all there is.

Just a little comparison for what we deal here with. In January 2016 one of the biggest DDoS ever hit the bbc and Trumps website. They were flooded with 602Gbps of traffic. That means 75.25 Gigabyte per Second or 1 terabyte of data in like 13 seconds or 280 Terabyte per hour. To make it even clearer ... if you have a SSD, those can read/write around 500-600 MByte/s, that means 0,5 GByte/s. You would need at least 150 SSD's at once, to save the data that comes in.

Those are numbers that are hard to comprehend, even for someone that works in IT.

The biggest german provider, the "Deutsche Telekom" has an internet backbone network with 10x 10 Gbit(4x2,5 lanes) and 64 lanes with at least 155 mbit/s (guess my info is a bit outdated and they upgraded a bit), but if you can do a bit calculus, you see just how much 600 Gbps are. With that much traffic, you could easily shoot an ISP out of the internet I guess.

[Eleccybubb]

I just find it amusing how on the app it says the fault lies with ISPS. No Blizzard the fault fucking lies with you sweetheart.

[Deshi]

Do you know how often people who does this kind of stuff get caught? I guess since blizz are from US the most report this to the federal police in US? Or they might be clueless how to counter this stuff?

[Maerad]

I just find it amusing how on the app it says the fault lies with ISPS. No Blizzard the fault fucking lies with you sweetheart.

The app is made as information center if a server is really down. It's made for normal users, not IT cracks. They can't define a 20 site reply why the server could be not reached in this case, because there are 100 of options in that. Right now the loginserver is flooded, so the app can't connect to any of the servers at all and thinks your internet might be down our your ISP has a problem. I wouldn't know how to make the check better. If the app can't connect to any server from blizzard because of the flooding, it can't tell you why it's really down. It only sees "oh, connection timeout". And in 90% of all cases, it's a problem with the ISP or you local line/wlan/firewall/whatever.

I worked in support and believe me, the least problems come from outages at the server side itself. In most cases its a local event in the area (ISP down, fibre cut) or local with the customer (router needs a reboot).

Yeah it sucks and I would also like to play, but there's not much they can do about it.

- - - Updated - - -

Do you know how often people who does this kind of stuff get caught? I guess since blizz are from US the most report this to the federal police in US? Or they might be clueless how to counter this stuff?

Well, if you yourself do that with your own line, they would have your IP address and could get you. But botnets that can kick blizzard out of the internet are on a way different magnitude. Those are infected zombie pc's that connect to a cluster of "remote operation servers". If someone want's to flood, he tells the operation center "flood this network with those addresses with 80% of capacity". The OP Server tells that his zombie clients and those start to flood. The attacker itself is behind his botnet and his address will never be used.

Think of it like mobile terror. Buy an anonymous mobile / cell phone sim card, call someone and harass him, throw the card/phone away. Nobody will ever caught you. Same goes for the botnet

[Deshi]

Well, if you yourself do that with your own line, they would have your IP address and could get you. But botnets that can kick blizzard out of the internet are on a way different magnitude. Those are infected zombie pc's that connect to a cluster of "remote operation servers". If someone want's to flood, he tells the operation center "flood this network with those addresses with 80% of capacity". The OP Server tells that his zombie clients and those start to flood. The attacker itself is behind his botnet and his address will never be used.

Think of it like mobile terror. Buy an anonymous mobile / cell phone sim card, call someone and harass him, throw the card/phone away. Nobody will ever caught you. Same goes for the botnet

So basicly, the only way to get them are if they are stupid enough to brag about it to friends or unprotected on a forum =P
Darn Blizz have a though time!

[Demeia]

I appreciate the lesson.

When you say "professional" do you just mean highly skilled (if that's the right word...) or can people actually make money out of annoying the hell out of us?

[Tharkkun]

I just find it amusing how on the app it says the fault lies with ISPS. No Blizzard the fault fucking lies with you sweetheart.

No, it lies with all the bullshit isp's who don't fix the ability to send packet replies from their network that didn't originate from them. AKA spoofing. Someone randomly sends a request to my ISP for data but spoofs the request as coming from Blizzard's IP address. My ISP responds back to Blizzard with a response instead of to me. If ISP's would fix this loophole DDOS's would be nonexistent.

The moment you tried a legit ddos you'd be taken down, jailed, etc. because they would trace it immediately to you. It's only possible because of spoofing. ISP's take the easy way out and don't implement their network properly because they say it doesn't affect them.

[Deleted]

I appreciate the lesson.

When you say "professional" do you just mean highly skilled (if that's the right word...) or can people actually make money out of annoying the hell out of us?

There are several approaches to "professional". Basically, it is a market. The providers are (professional) hacker (organizations) who create large botnets.

Basic terms:
Botnet: A botnet basically contains one or several Command&Control(C&C) server which control so-called zombies. The C&C server can issue commands over a communication protocol and the zombie executes this command.

Zombie: A zombie is a device connected to the internet with a malware installed (in most cases unknown to the device owner). This can be a mobil phone, a laptop, a PC, a server,... (yes, that means your very own pc could be a zombie too). The hacker will infect the device, mostly by social engineering (e.g. an e-mail with a link you clicked, an insecure website with code hidden inside an image, a pdf file you downloaded, a "free" USB stick they give away (with a hidden manipulated driver on it),... ) and the malware on the device executes the commands given by the C&C server. This could be a request at an insecure DNS resolver with a spoofed destination ip address for example.


Now lets assume (you can do that safely) that most people do not know or do not care about securing their device or may be easily tricked by social engineering tricks. This results in large botnets. The more zombies a botnet contains the more powerful the attack can be. Owner of C&C server have the access to the botnet and can sell this functionality to a client. This client can be anyone. The term for this is DDoS-as-a-Service. There exist (quite openly) websites where you can just book a DDoS attack (e.g. on your school network). If we talk about professionals there also can just be organizations who are hired to DDoS a company, potentially to create a market advantage for their customer or simply because someone paid enough money.

TLDR; Yes, you can make a lot of money in this illegal business and if you are careful it is very hard to get you because you hide behind anonymous ip addresses, proxy servers and devices which have no real connection to you. There are even self-sustaining botnets which work over peer-to-peer connections to be more robust against interruptions.

[Jaylock]

There are several approaches to "professional". Basically, it is a market. The providers are (professional) hacker (organizations) who create large botnets.

Basic terms:
Botnet: A botnet basically contains one or several Command&Control(C&C) server which control so-called zombies. The C&C server can issue commands over a communication protocol and the zombie executes this command.

Zombie: A zombie is a device connected to the internet with a malware installed (in most cases unknown to the device owner). This can be a mobil phone, a laptop, a PC, a server,... (yes, that means your very own pc could be a zombie too). The hacker will infect the device, mostly by social engineering (e.g. an e-mail with a link you clicked, an insecure website with code hidden inside an image, a pdf file you downloaded, a "free" USB stick they give away (with a hidden manipulated driver on it),... ) and the malware on the device executes the commands given by the C&C server. This could be a request at an insecure DNS resolver with a spoofed destination ip address for example.


Now lets assume (you can do that safely) that most people do not know or do not care about securing their device or may be easily tricked by social engineering tricks. This results in large botnets. The more zombies a botnet contains the more powerful the attack can be. Owner of C&C server have the access to the botnet and can sell this functionality to a client. This client can be anyone. The term for this is DDoS-as-a-Service. There exist (quite openly) websites where you can just book a DDoS attack (e.g. on your school network). If we talk about professionals there also can just be organizations who are hired to DDoS a company, potentially to create a market advantage for their customer or simply because someone paid enough money.

TLDR; Yes, you can make a lot of money in this illegal business and if you are careful it is very hard to get you because you hide behind anonymous ip addresses, proxy servers and devices which have no real connection to you. There are even self-sustaining botnets which work over peer-to-peer connections to be more robust against interruptions.

Very interesting read, also to the OP.

Couple questions, is there really any way to prevent malware from infecting your device? Is malwarebytes a good enough application to run regularly to check for malware on your system and remove it? I'm smart enough to know not to click on any suspicious emails or links, but I would think during the normal course of browsing and such something might get through.

Any good recommendations to PC protection? I use the normal Windows Firewall / Security, but have you found something to be more effective?

I just wouldn't want my PC or any of my mobile devices contributing to the problem.

[Maerad]

Very interesting read, also to the OP.

Couple questions, is there really any way to prevent malware from infecting your device? Is malwarebytes a good enough application to run regularly to check for malware on your system and remove it? I'm smart enough to know not to click on any suspicious emails or links, but I would think during the normal course of browsing and such something might get through.

Any good recommendations to PC protection? I use the normal Windows Firewall / Security, but have you found something to be more effective?

I just wouldn't want my PC or any of my mobile devices contributing to the problem.

There is no perfect security. Even gov. institutes have problems with malware, but their attack vector is more social engineering then opening the wrong attachment.

The best protection would be:

1. A virus scanner, any free one will do. Also windows 10 has a secondary antivirus check that is active all the time
2. Don't DL Software from third parties. Go to the developer site all the time. So no Cnet etc.
3. Don't DL illegal software, that can be compromised
4. Don't open attachments or links in mails of ppl you don't know
5. Don't open attachments and links in mails of ppl you know but didn't speak about to send something
6. Keep your software up to date, even windows
7. Deinstall AdobeFlash if you don't need it (that thing has more security issues then a swiss cheese has holes)

Secondary:
Keep a current Backup of all your data NOT accessible from your pc! Get a program like CobianBackup as backup software. Then an external HDD. Best way is, to connect the HDD to your router if possible, disable unregistered access and config it in a way, that only FTP access is allowed. Use Cobian to copy your files over with FTP. Or use an external drive like WD MyCloud - those are Network Storages that have a FTP and other tools build in. So in worst case, all your data is secure.

If your PC is infected, use a special resuce disk/usb stick to search for viruses like kaspersky resuce cd or antivir rescue cd. All of them are free to use!

For firewall the windows firewall is more then enough. Everything else is useless. Today you are behind a router. Every scan from the internet hits the router, not your pc behind (if you didn't config it otherwise). If you want additional security, you could get a intrusion detection program or a router with a functionality like that. Those detect abnormal patterns but are expensive.

Most "defend" programs like tend to "scare" you more then they should.

If your PC behaves not as it should, you can also use tools like hijack this (and the approciate forum) to find the issue

[Deleted]

Some additional notes (I am no expert in securing devices but there some basic informations):

Basically, the danger lies within two components: Malwares and Rootkits.

A malware is basically just what you assume it is. It is a piece of software which can be installed in a number of ways hidden from the user. A rootkit is installed after getting access to your computer by malware. The rootkit is a collection of tools who can give the cracker (hacker with malicious intent) administration-level access to your device and it is used to mask the malware against your anti-virus software and might even create a backdoor to your device (that means that the attacker can issue commands to your pc beside the malware functionality). A rootkit can be found by rootkit detection software, however: If you find a rootkit, wipe your device clean! That is what the backups Maerad mentioned are for.

There are some basic tips most it security companies are issuing which Maerad basically gave to you already. If you want more information there are also resource from the NIST (National Institute for Standards and Technology) and other sources (e.g. if you are german, you might want to have a look at the BSI for example (Bundesamt für Sicherheit in der Informationstechnik).

Edit:
Maybe a practical thing too: There will always be a trade-off between most secure and comfort. "Most secure" would be a specially crafted linux distribution for example and deactivating javascript execution in your browser. But since javascript is used by most web content to provide interactivity you might not want to do that since it is not comfortable to always activate and deactivate javascript when you are entering / leaving a website you "know" is secure. This means that you are accepting the risk and the assessment if you need to protect against the risk is up to you and your browsing behavior.

[Maerad]

No, it lies with all the bullshit isp's who don't fix the ability to send packet replies from their network that didn't originate from them. AKA spoofing. Someone randomly sends a request to my ISP for data but spoofs the request as coming from Blizzard's IP address. My ISP responds back to Blizzard with a response instead of to me. If ISP's would fix this loophole DDOS's would be nonexistent.

The moment you tried a legit ddos you'd be taken down, jailed, etc. because they would trace it immediately to you. It's only possible because of spoofing. ISP's take the easy way out and don't implement their network properly because they say it doesn't affect them.

That's not really true. If you flood someone with your own line spoofing would necessary, but this can be traced back meanwhile in most/some cases.
In case of a botnet, they don't use spoofing or better said only as one of many attack vectors. The nice thing with a botnet is, you can't trace back the person that gives the commands. The bots connect to a line of control servers. Those control servers get the commands from someone that send the command to them. If you didn't infiltrate the control servers, it's not possible to remotly get who sends the commands. And even IF you infiltrated the servers, those guys are connected with vpn and should go over 2-3 random, open proxies to connect to the control servers, so not traceable. For some bigger botnets it needed scientists and a global work from many agencies like the NSA to knock that botnet out.

[Deleted]

Couple questions, is there really any way to prevent malware from infecting your device?

The shutdown button. Otherwise, no, not really.

Is malwarebytes a good enough application to run regularly to check for malware on your system and remove it? I'm smart enough to know not to click on any suspicious emails or links, but I would think during the normal course of browsing and such something might get through.

Any good recommendations to PC protection? I use the normal Windows Firewall / Security, but have you found something to be more effective?

I just wouldn't want my PC or any of my mobile devices contributing to the problem.

Common sense really does goes far when it comes to risk assessment of strange e-mails and links.
Pretty much any anti-virus gives you about the same basic protection.
If you have it available, use reputation based Antivirus filtering
Enable heuristic scans in your AV, if available.
Uninstall any browser extensions you don't need (especially Java and Flash).
If you need them, always keep them updated.
Install and configure Microsoft EMET
Use Google Chrome.
Have backups.

That's about it for basic hygiene.

[micwini]

Starts by saying it a "simple explanation" and then follows it up by talking about things I don't understand as a non-IT guy

[Deleted]

Starts by saying it a "simple explanation" and then follows it up by talking about things I don't understand as a non-IT guy

To summarize all we said in three short sentences:
- A DDoS attack is created by a botnet which contains of a huge number of illegally infected devices
- The attacker can not be easily identified nor can the DDoS attack be easily shut down (at least not if you use legal tools)
- To protect against being a part of a botnet, have a firewall and an anti-virus software up-to-date, only install software you really need and be careful with links and attachments in e-mails (only open attachments if you really trust the sender and if you checked his full e-mail address)

(- Think about creating backups of your PC on an external hard drive at least once a month)

[micwini]

To summarize all we said in three short sentences:
- A DDoS attack is created by a botnet which contains of a huge number of illegally infected devices
- The attacker can not be easily identified nor can the DDoS attack be easily shut down (at least not if you use legal tools)
- To protect against being a part of a botnet, have a firewall and an anti-virus software up-to-date, only install software you really need and be careful with links and attachments in e-mails (only open attachments if you really trust the sender and if you checked his full e-mail address)

(- Think about creating backups of your PC on an external hard drive at least once a month)

So you basically plant bombs on devices(for example I plant a virus on your pc) and then you detonate them all at once?

[darklogrus]

How come every time theres a problem on Blizzy's end it's automatically a DDoS attack.

[Jetstream]

How come every time theres a problem on Blizzy's end it's automatically a DDoS attack.

Because usually there's someone on twitter or 4chan going "Lawl I'm DDOSing Blizzard!"

[Deleted]

So you basically plant bombs on devices(for example I plant a virus on your pc) and then you detonate them all at once?

It's not a bomb in the way you would imagine.
The malware can be as simple as a tiny program which just uses the basic! network protocols and misuses them. This where "redirection" of traffic by faking the sender ip address (in short: spoofing) comes into play. Let's say you want to know what time it is: Your computer can use the Network Time Protocol (NTP) to synchronize its clock with the configured timezone. Normally, the computer makes a request and the server anwsers with a reduced response, but you can also request a lot more information. The malware simply asks for all information the server can provide and manipulated the ip address which tells the server where to send the information. And now imagine 300.000 devices requesting information to be send to a single ip address. This will totally fill up your bandwith.

[Tharkkun]

Very interesting read, also to the OP.

Couple questions, is there really any way to prevent malware from infecting your device? Is malwarebytes a good enough application to run regularly to check for malware on your system and remove it? I'm smart enough to know not to click on any suspicious emails or links, but I would think during the normal course of browsing and such something might get through.

Any good recommendations to PC protection? I use the normal Windows Firewall / Security, but have you found something to be more effective?

I just wouldn't want my PC or any of my mobile devices contributing to the problem.

The built in Windows Essentials + firewall is about as good as you can get. There are other 3rd party software such as McAfee and Symantec but they really aren't any better. They just have better management tools for Enterprises and block more ports.

Not getting infected relies on keeping your applications up to date. The biggest culprits are Java (Go Oracle) and Flash and obviously your Windows updates.

Then it's all about being safe. Mistyping a website, clicking a link, opening attachments, closing popups where the close button executes, etc., etc. Most infections today are socially engineered.

It's not a bad idea to run the quick scan option with Malware Bytes application monthly but I wouldn't use the paid/real time protection. That along with whatever AV client you're running will conflict.

- - - Updated - - -

That's not really true. If you flood someone with your own line spoofing would necessary, but this can be traced back meanwhile in most/some cases.
In case of a botnet, they don't use spoofing or better said only as one of many attack vectors. The nice thing with a botnet is, you can't trace back the person that gives the commands. The bots connect to a line of control servers. Those control servers get the commands from someone that send the command to them. If you didn't infiltrate the control servers, it's not possible to remotly get who sends the commands. And even IF you infiltrated the servers, those guys are connected with vpn and should go over 2-3 random, open proxies to connect to the control servers, so not traceable. For some bigger botnets it needed scientists and a global work from many agencies like the NSA to knock that botnet out.

That's so 90's though. Back then you could flood someone's dialup off the internet using a T1 or T3 server. We used to do this from the University of MN all the time. But today that would make it far too easy to block. If you're getting flooded from 1 network you just block the class C and be done with it.

There's a guy on here named ipaq and a few others who work in network security. Their job is to track down these C&C servers and shut them down. You can trace it all back. It's only a matter of whether the country of origin is willing to work with you.