DDOS attack

We got hit by something I don't understand, A DDOS attack. Please explain how it starts and how it is resolved.

This video is probably the best way to explain it. https://www.youtube.com/watch?v=r3bEjsv9JFw

Edit: Yes it is mostly memes but it is probably the best way to explain how a ddos works.

Quote:

---

Originally Posted by Maltothoris

This video is probably the best way to explain it. https://www.youtube.com/watch?v=r3bEjsv9JFw

---

lol, that was funny and is a good way to explain how it starts but ..... how is it resolved and who started it and why? surely not just for laughs and why is it taking more than 6hrs for square to fix it? and I want a eta on it's resolution.

5 hours and counting

You don't resolve it -- You only mitigate it.

Quote:

---

Originally Posted by Maltothoris

This video is probably the best way to explain it. https://www.youtube.com/watch?v=r3bEjsv9JFw

Edit: Yes it is mostly memes but it is probably the best way to explain how a ddos works.

---

Unironically this is absolutely the best way to do it.

The whole point of a DDOS attack is to deny service or access to those trying to login to the server(s).

The simplest way to stop a DDOS attack is shut the servers down. However, that doesn't tell you anything about how the attack is reaching you and how to prevent it in future. SE needs to know as much as they can about what's happening now, so they can (hopefully) prevent future, similar, attacks -- while they're working to stop the attack and get the servers available to us again.

Asking (or demanding) an ETA on when the attack will be stopped isn't reasonable. We have no idea ourselves where it's coming from or what it'll take to stop it. Or if there's more than one DDOS going on simultaneously. Or many factors that can contribue to the severity of the situation.

I know it's hard to be patient but... that's all we have, at this point.

Quote:

---

Originally Posted by sagacious

I want a eta on it's resolution.

---

It's nice to want things.

The simplest way to stop a DDOS attack is shut the servers down.
I agree, but when you shut the servers down wait 30 mins and start them back up won't you see the DDOS attacker pouring in? and can't you id him then?

People getting trolled by OP.

Quote:

---

Originally Posted by Shialan

People getting trolled by OP.

---

are you the DDOS attacker? Shialan I play 6 to 8 hrs a day I just wanna play there's no trolling I want to understand this situation. The video was simplistic at best who wants to do this? and keep millions from playing this game? is is a corporate attack from a business rivel? or could it be from the inside disgruntled employee?

I think for today at this point they need to just go into early matience. Even if they get everything working now there's only like... Less then 6 hours until the servers are going down anyway. (Unless they need to be running to learn about the attack)

Quote:

---

Originally Posted by sagacious

The simplest way to stop a DDOS attack is shut the servers down.
I agree, but when you shut the servers down wait 30 mins and start them back up won't you see the DDOS attacker pouring in? and can't you id him then?

---

I did say that the simplest way to stop a DDOS attack is shut down the servers so the attack can't reach them. I'm not a server admin or a hacker, but kinda doubt that simply restarting servers (which would be a huge production for SE given the amount of computers they must have) would then allow anyone to track, find or trace the "DDOS attacker" quickly. The attackers are likely coming from multiple sources, using proxies/VPNs etc., and hiding its/their tracks very very well.

I would think that SE is working more to find their vulnerabilities and plug them up at this point.

Heya,
Any eta on when these will calm down?
There's been constant lag the past few days and today it's simply unplayable since it reaches actual disconnects while in duties.

DDOS attacks are usually resolved by filtering out the traffic correctly from attackers before it reaches the servers. There are various appliances or software you can put in place before your servers that will analyze and filter traffic. Unfortunately, it can be a cat-and-mouse style situation where the analysis lags slightly behind the changing attack pattern of the DDOS. It makes it hard to predict how long it will take to resolve.

Quote:

---

Originally Posted by missTori

i don't recall this happening at the end of previous expansions. Usually game is dead.
what gives lol

---

Probably just prepping for Dawntrail release to make sure the bullet lands.

Like a quick warm up before the sprint.

It's not a doss attack they are just preparing everyone for what dawnbringer is going to be like.

NOt since the relaunch of ARR has limsa lominsa been so empty XD

Last time I managed log in I was only able to play for less then a minute, they're certainly denying service, all right

Got several disconnects (Primal/Lamia) 2 in the middle of a duty (fortunately it gave me the rewards). I knew something was up when I saw 30 in queue to start today. Then it was 138. AND even though I had stuff to do, things simply weren't working in the game, so I exited.

Thing that really pisses me off is the SE Server status say everything is working correctly. Bulls**t.

Today is pretty much a loss. In a couple of hours, game will die due to server maintenance. It sucks!:rolleyes:

Quote:

---

Originally Posted by RiversideGuy

Got several disconnects (Primal/Lamia) 2 in the middle of a duty (fortunately it gave me the rewards). I knew something was up when I saw 30 in queue to start today. Then it was 138. AND even though I had stuff to do, things simply weren't working in the game, so I exited.

Thing that really pisses me off is the SE Server status say everything is working correctly. Bulls**t.

---

Because the servers themselves ARE working correctly.

Quote:

---

Originally Posted by Infindox

I think for today at this point they need to just go into early matience. Even if they get everything working now there's only like... Less then 6 hours until the servers are going down anyway. (Unless they need to be running to learn about the attack)

---

Agreed! Take advantage of the situation. Game's semi-unplayable as is. Might as well take it down and do the maintenance now since it is affecting most DCs anyways.

Quote:

---

Originally Posted by RiversideGuy

Thing that really pisses me off is the SE Server status say everything is working correctly. Bulls**t.

---

Server status page is not lying. It is there to inform only about whether the servers are online, which they are. That page is not there to say if it’s running correctly, only if it’s running.

Quote:

---

Originally Posted by Darnath

Agreed! Take advantage of the situation. Game's semi-unplayable as is. Might as well take it down and do the maintenance now since it is affecting most DCs anyways.

---

Except it's about 4am in Japan right now and they're probably not going to wake up the team just to take advantage of it. Right now, the DDOS is probably be handled by their third-shift or 24-hour support team.

It's a Distrubuted Denial of Service attack. Where lots of different machines attack at the same moment, so they can't just ban a single IP.

They have happened for years (like even SB I think at least), often at routes leading to the server affecting specific ISPs. But SE got good at contacting those ISPs and setting up countermeasures instead of blaming customers.

So DDoS attacks stopped being very effective anymore until this one.

Horsebleep, if a server is under attack it is NOT not online in the fashion it is designed to do. This should be reflected, not hidden from users. AND as a former server admin, I know how DDOS attacks are dealt with.

Quote:

---

Originally Posted by RiversideGuy

Horsebleep, if a server is under attack it is NOT not online in the fashion it is designed to do. This should be reflected, not hidden from users. AND as a former server admin, I know how DDOS attacks are dealt with.

---

It is not hidden from users. There was a Lodestone post about it. The one page you are referring to was not designed to be informing about attacks, only whether the servers are online or under maintenance. They are online, therefore it is not lying.

Quote:

---

Originally Posted by RiversideGuy

Horsebleep, if a server is under attack it is NOT not online in the fashion it is designed to do. This should be reflected, not hidden from users. AND as a former server admin, I know how DDOS attacks are dealt with.

---

I beg to differ. The server is online and functioning correctly. The page you reference shows GO/NO_GO status only. The servers are, indeed, up (GO). They are receiving so much traffic that your particular connection isn't able to get through. And if you are a server admin, you know that already. (I used to be an AIX admin, I have some familiarity myself.)

Similar to when expansions first drop and too many people are trying to connect to servers. Some connections get dropped. The DDOS packets are taking advantage of some vulnerability and are probably coming in at a higher priority than our normal connections, which is why nearly every FFXIV player isn't able to login but the DDOS packets are getting through and clogging up all available server connections.

Come now, sir.

Genuinely asking: Is it more helpful to the people at Squeenix trying to fix this if we keep attempting to log in and play? Or is it more helpful to stop until they declare it mended?

I've gotten so many disconnects, lobby connection errors, etc over the last few hours. I've just been giving it a few minutes each time it cuts me off and then trying again b/c I need to do the 16 event. >_<

(Yes I know it's been live for weeks. I wasn't able to play.)

Quote:

---

Originally Posted by IronThistle

I beg to differ. The server is online and functioning correctly. The page you reference shows GO/NO_GO status only. The servers are, indeed, up (GO). They are receiving so much traffic that your particular connection isn't able to get through. And if you are a server admin, you know that already. (I used to be an AIX admin, I have some familiarity myself.)

Similar to when expansions first drop and too many people are trying to connect to servers. Some connections get dropped. The DDOS packets are taking advantage of some vulnerability and are probably coming in at a higher priority than our normal connections, which is why nearly every FFXIV player isn't able to login but the DDOS packets are getting through and clogging up all available server connections.

Come now, sir.

---

You also know as a server admin, You wouldn't tell people you are having a problem but blame it on a doss attack. That way you can't be blamed for a router or switch falue or some internal traffic. Sure you tell the boss but you don't tell the masses or they will loss faith in your skill.

Filtering out traffic is pretty easy on any firewall that is why pass doss attacks come and go and we end user never really notice them.
This seems to be something different or a really wide spread Doss attack.

Quote:

---

Originally Posted by IronThistle

I beg to differ. The server is online and functioning correctly. The page you reference shows GO/NO_GO status only. The servers are, indeed, up (GO). They are receiving so much traffic that your particular connection isn't able to get through. And if you are a server admin, you know that already. (I used to be an AIX admin, I have some familiarity myself.)

Similar to when expansions first drop and too many people are trying to connect to servers. Some connections get dropped. The DDOS packets are taking advantage of some vulnerability and are probably coming in at a higher priority than our normal connections, which is why nearly every FFXIV player isn't able to login but the DDOS packets are getting through and clogging up all available server connections.

Come now, sir.

---

Which boils down to the same thing that RiverSideGuy said: the servers are not online in a way that works properly for the end user. No need to be pedantic about the details.

Quote:

---

Originally Posted by Kewitt

Filtering out traffic is pretty easy on any firewall that is why pass doss attacks come and go and we end user never really notice them.
This seems to be something different or a really wide spread Doss attack.

---

A properly executed DDoS attack is not easily handled by a firewall. By the time the packets reach the firewall it is already too late to filter them out.
It is not handling the packets that is the main problem, but the deluge of packets that will overflow the network connections causing real traffic to be dropped.

Usually what a company does is they have to get in contact with all of their various ISP providers they work with and send reports of the attacks, then they simply have to wait and allow the different teams of each provider to handle the attacks in the ways they do. They don't exactly fully advertize the methods they use to handle these situations because... well that would be kind of the point of having good cyber-security; 'keeping it a well-guarded secret' -which is so freak'n hard.

There is a lot i'm leaving out of this explanation and i'm not really explaining it well either, but the gist of it is there.

Quote:

---

Originally Posted by Kewitt

You also know as a server admin, You wouldn't tell people you are having a problem but blame it on a doss attack. That way you can't be blamed for a router or switch falue or some internal traffic. Sure you tell the boss but you don't tell the masses or they will loss faith in your skill.

Filtering out traffic is pretty easy on any firewall that is why pass doss attacks come and go and we end user never really notice them.
This seems to be something different or a really wide spread Doss attack.

---

Take your conspiracy theories elsewhere. When there's hardware failure, they tell us that. They have a history of telling us when it's on their end.

Quote:

---

Originally Posted by Taliriah

Which boils down to the same thing that RiverSideGuy said: the servers are not online in a way that works properly for the end user. No need to be pedantic about the details.

---

Except the status checks for each server are probably an internal check inside their network. Probably hitting a `/status` endpoint which does an internal check to make sure all the pieces are functioning, and they are. The problem is that we can't get to the server. You would need something outside their network doing the check and they probably have that, but it's not part of their individual server checks, but more a network monitor which would report differently.

It is not an “attack”. It is a failure of Square Enix Holdings Co., Ltd. to provide proper server infrastructure to protect their top revenue earner. The likely reason is that Square Enix cannot afford it or refuses to fund it. This is the same company that gave us such stalwart classics as Endwalker and FF16, yes, but it’s also the same company that made 1.0, Harvestella, FF12-15, and a dozen gacha games that closed in a year. And it’s no surprise that they’re literally going broke. And like anyone who’s bad at his job, this company blames anyone but itself.

But you still think Square Enix Holdings Co., Ltd. is doing better than Microsoft Activision-Blizzard, right?

They think they are hackers for doing it is the most tragic comic part of it all

Quote:

---

Originally Posted by caffe_macchiato

It is not an “attack”. It is a failure of Square Enix Holdings Co., Ltd. to provide proper server infrastructure to protect their top revenue earner. The likely reason is that Square Enix cannot afford it or refuses to fund it. This is the same company that gave us such stalwart classics as Endwalker and FF16, yes, but it’s also the same company that made 1.0, Harvestella, FF12-15, and a dozen gacha games that closed in a year. And it’s no surprise that they’re literally going broke. And like anyone who’s bad at his job, this company blames anyone but itself.

But you still think Square Enix Holdings Co., Ltd. is doing better than Microsoft Activision-Blizzard, right?

---

You think Blizzard was never brought down by DDoS attacks like this? Happened back when I played WoW, too. It's something that happens on the internet.

Guys just close for maintenance early, this is awful.

Yoshi P need to talk to Phil Spencer about it. Then Presidnet of USA, Elon Musk, Bill Gates and finally Mr.Beast for this outrage.