Share this article

Fighting the nightmare – when small developers encounter DDoS attacks

By Dan
Sep. 1, 2021 updated 11:34

Original by Lushark

Imagine that you just finished a day's work, returned home wishing to have a hot bath, only to find that you are locked out of your own home. You resorted to the locksmith after trying everything you could think of and finally opened the door. Exhausted, you noticed a message on the wall: "If you do not want to be locked out again, get the ransom ready.”

 Such "burglaries" in the real world are dying out, but in cyberspace, similar crimes only get more brutal - DDoS attacks and the ensuing extortion have become a nightmare for small or medium-size game developers. 

DDoS attacks, also known as "distributed denial-of-service attacks", come in a variety of ways: UDP flood, TCP reflection, CC attacks, etc. Most players have never heard of these terms, but are quite familiar with the direct consequences of them - "bombarded server".

Simply put, DDoS attacks against game companies are used to deplete the target's server resources in various ways, making it impossible for regular players to log in or to use certain in-game functions. Most of the attackers' purpose is to extort money and coerce the game companies to trade money for security.

Such attacks were once used against large enterprises like Sony and Capcom, but nowadays more and more small or medium size mobile game studios are affected. Compared with large companies, small studios are weaker in prevention and more dependent on a single product, which makes them a soft touch. But it was also the resistance from them that started to bring DDoS attacks into the sight of ordinary players.

Yi Jian Xing (“Game of Swords”), which went live in early August, came under the spotlight after it was blackmailed by hackers and the development team chose to simply take the service offline, refusing to pay the ransom to the hacking team. This incident has made many people aware of the large number of small developers who have been plagued by DDoS attacks.

The development team of Yi Jian Xing announced that they have given users full refunds on all payments made so far, and mentioned that it’s “better to die in glory than living in dishonor”

However, this level of exposure was not enough to make the hackers stop. Less than two weeks later, Crossingstar Studios' Banzhan’s Journey was likewise subjected to a DDoS attack on its release day.

The hackers first used the game's guest login mechanism to forge a large number of fake users and exhaust the server resources. They then attacked through a single sign-on, flooding the server with traffic that was tens of thousands of times higher than normal. Continuing the attack through CC attacks using payment APIs and was finally able to bring the servers down. It took the team a few days to finish patching the security holes, and fortunately in the end most of the players could enter the game as usual.

What happened to Banzhan’s Journey was just a microcosm - many small or medium size studios have been and will be in a similar situation. For them, a DDoS attack is an arrow pointing at Achilles Heel.

Game developer’s heel

 DDoS attacks were almost born with the Internet - as long as online services are provided, you may become a victim of DDoS attacks. Most of the early DDoS attacks were carried out by individual hackers to show off or get revenge. Nowadays, they have been developed into a means of extortion and blackmail, and the first to bear the brunt is the gaming industry.

According to the 2020 DDoS Threat Report released by Tencent Security, nearly 80% of DDoS attacks are targeted at the gaming industry

Early in the PC MMO era, online game developers were already the victim of hacker extortion; now that the mobile game era has come, card games have become the worst-hit region. Most of these developers are too rich to get entangled with hacker teams and are not willing to disclose to the public. Therefore, for a long time, ordinary players did not know much about the harm caused by DDoS attacks.

Perhaps it is getting more and more difficult to make a profit from big companies, or the cost of DDoS attacks has been further reduced – hackers have become more focused on small or medium size mobile game studios. They would take advantage of the launch of the game server to set up attacks, and have even figured out a shortcut to screening – TapTap’s "Editors’ Picks".

Games recommended by the “Editors’ Picks” section are usually developed by small studios, and these studios often lack experience in network security. In fact, they would rely too heavily on the services provided by third-party cloud providers. Yet most of the basic protections provided are quite fragile - once the peak traffic exceeds the preset bandwidth, all the outgoing traffic will be silently dropped. This is known as a "black hole", and traffic can only be brought back after a certain cooldown time. Hackers would take advantage of this mechanism to loop the game developer's interface into the black hole repeatedly.

If the development team is unfortunate enough to have a key module set up on a cloud server, then there are few technical precautions they can do at this point. They could either pay the cloud providers more to upgrade to "advanced protection services", or compromise with the hacker and pay a ransom, which is almost like being blackmailed by both sides. Hackers who are familiar with the market will take the opportunity to offer an amount lower than the price of the "advanced protection service" to coerce developers into compliance.

Hackers do not have any significant technical advantages, but they are experienced and would just wait for the best opportunities. Knowing the weakness and inertia of small or medium-size developers, they can always jam the pace to take the initiative[A1]. During the review process after an attack, developers can often identify some simple precaution techniques, but not everyone has a second chance.

For many small studios, a ¥20,000 ransom is not much different from a ¥50,000 advanced defense - both means forking out a lot of money even after the game went live. What's more, a DDoS attack on the release day would usually result in irreversible user loss (and might waste the only chance to get a platform recommendation). Even if the game could be redeemed, it may already be a dead hostage.

That's why some small or medium-size developers resist much more fiercely than large companies. With the mentality of "close down at the worst", they confronted hackers to the end and won’t let them take any advantage.

If every company acts like this, will it make the hackers give up? No one knows the answer, but even if it would work, the price is too high. After all, no one really wants to sacrifice their hard work.

The tip of the iceberg

Chinese game studios are not the only ones suffering from hacking. In earlier years, the Japanese mobile game tradition of "launch to be bombarded" has become a standing joke. Now that we look back, it is probably since the mobile game market is growing quickly day by day that people are more aware of the attacks.


(Like most Chinese companies, large companies in Japan are often reluctant to admit that they have been subjected to a cyberattack; and small teams would just close down in silent struggles)

DDoS attacks have long been a worldwide cybersecurity challenge - the originating location of such attacks spreading across the globe, making it rather difficult to find the actual location of the criminals. And offshore attacks are not the only reason that increases the difficulty.

The "Dark Night Group" busted in China a few years ago was a group lurking in Cambodia to carry out DDoS attacks to extort Chinese enterprises. Eventually, all of them were caught under the efforts of Shenzhen public security authorities. 11 people were sentenced to prison terms ranging from one to two years for "sabotaging computer information systems".


The "Dark Night Team" carried out DDoS attacks against Tencent cloud servers in 2017, causing economic losses of ¥114,358 to the latter

The group at the time still retained the tradition of some hackers to “gain both fame and wealth”. The organization was well-structured, coordinated, and the members’ online and offline identities were strictly mapped, which actually allowed the investigators to establish a complete chain of evidence, and ultimately convict them.

"Fine division of labor and assembly line operations" is becoming a new trend in this type of dark business. Some specialize in injecting Trojan horses, collecting zombie computers, and then selling these infected terminals to other organizations - these people are known as "zombie merchants". Some would acquire these zombie computers, who are often the direct initiator of DDoS attacks - they are the "hitters" in the whole industry chain, and also the most hidden ones. Some people hold a large amount of personal information to build a payment network for money laundering. In addition, there are a large number of brokers hovering between these people, participating in intermediary and guarantee activities, making the whole transaction chain more concealed, and also making the threshold of crime lower and lower.

Graph demonstrating the chain among initiators (blue), hitters (red), zombie merchants (yellow), and brokers (transparent)

A game developer once commented on the hacker organization with a touch of self-deprecation: "The division of labor and resource sharing among hackers is probably even closer than among us regular programmers."

The disguise of the industry is also far beyond the imagination of the public. Tools of these crimes are hidden under the noses of everyone - on a certain e-commerce platform, the so-called "DDoS resistance test" "network attack and defense training" may actually be the scripts for network attacks, and the sellers are probably zombie merchants themselves.

Due to the lack of evidence, nothing can be done other than asking these sellers to take down the goods or just ban their accounts

The identity of the hackers is also bewildering. Many of the hackers who have been extorting game companies recently claim to be from an organization called ACCN (reported to be a group of Taiwanese criminals colluding with mainland hackers to extort local businesses). But there is no evidence that they are from the same organization. Their technique varies, and there’s no way to tell that they are from Taiwan. But from the perspective of the extortionists, they are happy to share the same facade so that the public will believe that they are a regular organization in a certain region, and thus better hide their identity.

As matters stand, it is not difficult to notice that such a complex industry chain has long exceeded the scope of simple "hacking", involving all aspects of information security.

The macro circumstances are hard to change in the short term, and the only option that small or medium-sized developers have to take is to stick together to save themselves. Additionally, there could probably be more tech communications, they could jointly purchase "high defense" on-demand, and they could provide joint evidence in common lawsuit…

There are indeed many more things that can be done, but most small or medium size studios, have already exhausted everything they can on their own work, and have no energy left to implement these changes.

Yet it is these small businesses who have managed to expose the hackers that have been hiding in the shadows for so many years, to the public. The confrontation between these developers and hackers is still far from the end, but their uncompromising courage has brought some light to the situation. At least future developers in a similar situation can say "we were hacked" open and aboveboard, and no longer need to feel ashamed of being a victim.

After all, the first step to dispelling the gloom is to expose it to the sun.