This is not a DDOS, Tell the truth SE.

[Hyperia]

Every DDoS is a spy vs spy game with the bad guys.

They attack, you put in a countermeasure, they circumvent that and continue the attack, you circumvent that, and the cycle continues.

Unless you want to implement some rather draconian privacy violations to make sure that attacks such as this are traced back to everybody involved and punished, we have to accept that there will be disruptions.

[GrizzlyTank]

Every DDoS is a spy vs spy game with the bad guys.

They attack, you put in a countermeasure, they circumvent that and continue the attack, you circumvent that, and the cycle continues.

Unless you want to implement some rather draconian privacy violations to make sure that attacks such as this are traced back to everybody involved and punished, we have to accept that there will be disruptions.

Yeah. Pretty much the only solid countermeasure to ddos is it's own isolated internet where ip/mac whatever is directly tied to your personal id. So you couldn't just swap id and continue the attack.

So currently it bogs down to countries encouraging or sanctioning each other to curb the distribution of bots used for malware and ddosing.

[Darkshade]

Every DDoS is a spy vs spy game with the bad guys.

They attack, you put in a countermeasure, they circumvent that and continue the attack, you circumvent that, and the cycle continues.

Unless you want to implement some rather draconian privacy violations to make sure that attacks such as this are traced back to everybody involved and punished, we have to accept that there will be disruptions.

SE doesn't need you to defend them, they can do it that themselves

[Hyperia]

SE doesn't need you to defend them, they can do it that themselves

I am not defending them; I am simply stating facts that many people may not really understand. I deal with attacks such as this frequently in my profession, so I know a thing or two about them and how they work.

[Kailyn_Swiftheart]

Unless you want to implement some rather draconian privacy violations to make sure that attacks such as this are traced back to everybody involved and punished, we have to accept that there will be disruptions.

Spoken like a true non-cybersecurity expert.

I work in offensive cybersecurity at the NSA. (It's my job to do things like DoS, hacking, etc)

There are absolutely ways to prevent DDoS attacks, assuming they are happening directly against SE servers themselves, and not somewhere immediately upstream.

If SE separates their active directory server from their game servers, and only allows connections to the game server once authorized by the active directory (this can be done via ESTABLISHED lines in iptables on a Linux system), you can drop all packets unrelated to legitimate connections to the game servers. This would not prevent a DDoS attack against the active directory, of course, but any such attack would only prevent people from trying to log into the game. It would have no effect on active connections.

You can also limit the number of connections per second, among other actions. There are a myriad of solutions available in the modern era.

If the attacks are coming from upstream, the ISP should have alternate routes for traffic. If they don't, then it's a terrible ISP, and SE should consider changing contracts. I've heard this is the case.

There is absolutely no excuse for bad cybersecurity policy. The fact of the matter is, that's exactly what is happening here, whether it's on SE's side or on their ISP. Someone isn't doing their job, and we're all made to suffer for it.

[FeyFavilla]

Spoken like a true non-cybersecurity expert.

I work in offensive cybersecurity at the NSA. (It's my job to do things like DoS, hacking, etc)

There are absolutely ways to prevent DDoS attacks, assuming they are happening directly against SE servers themselves, and not somewhere immediately upstream.

If SE separates their active directory server from their game servers, and only allows connections to the game server once authorized by the active directory (this can be done via ESTABLISHED lines in iptables on a Linux system), you can drop all packets unrelated to legitimate connections to the game servers. This would not prevent a DDoS attack against the active directory, of course, but any such attack would only prevent people from trying to log into the game. It would have no effect on active connections.

You can also limit the number of connections per second, among other actions. There are a myriad of solutions available in the modern era.

If the attacks are coming from upstream, the ISP should have alternate routes for traffic. If they don't, then it's a terrible ISP, and SE should consider changing contracts. I've heard this is the case.

There is absolutely no excuse for bad cybersecurity policy. The fact of the matter is, that's exactly what is happening here, whether it's on SE's side or on their ISP. Someone isn't doing their job, and we're all made to suffer for it.

This mirrors more or less exactly what we were told when WoW was having issues years back and how they managed stuff. Login servers died but the game and all instances were fine. So I am not insane and there really are ways to fix the situation, coming from a professional. At this point then they HAVE to know there are ways to stop it and are actively choosing not to. What, to punish the players for the low sub numbers? Because they don't think our peace of mind is worth investing in a new system to protect the game not just now but in future down the line too?
Fantastic.

[Jeeqbit]

There are absolutely ways to prevent DDoS attacks, assuming they are happening directly against SE servers themselves, and not somewhere immediately upstream.

If the attacks are coming from upstream, the ISP should have alternate routes for traffic. If they don't, then it's a terrible ISP, and SE should consider changing contracts. I've heard this is the case.

Usually it's attacking an upstream ISP. SE usually says "we will continue to monitor the situation and work with ISPs to come up with countermeasures". Additionally, most DDoS we've ever had on this game, there have been players unaffected that are on different routes.

This particular DDoS is successfully disconnecting the vast majority of players. I was able to count 844 players on Jenova (that weren't in a duty), after going through a queue of 600ish, which suggests the majority of people got disconnected. When I'm in a party of 8, typically all 8 of us got disconnected.

I have thought they could solve it if they tried harder by having their own network of VPN/proxy servers and rotating which ones we connect to in order to avoid ongoing attacks on certain routes or IPs, or force attackers to distribute their efforts across more IPs. And then have a process to try and carry over connections to prevent game disruption.

They could also solve it by just making the client not disconnect so quickly. Ever notice how, when you log back in, it says "there is someone still logged in on another client". So the server thinks we are still connected, it was just the client that decided to give up too quickly. They need to make the client more risilient. I get that is difficult because packets are numbered and build up, but maybe they need to find a way to reverse the actions of those packets if they didn't reach the server and then discard the packets, so the client doesn't give up so quick (speaking of which, SE doesn't use UDP, which is what makes it harder for them to do this).

[Shistar]

[...] So the server thinks we are still connected, it was just the client that decided to give up too quickly. They need to make the client more risilient.

The client rn:

[gem5]

There are absolutely ways to prevent DDoS attacks, assuming they are happening directly against SE servers themselves, and not somewhere immediately upstream.

I agree with you that SE is 100% directly or indirectly responsible for the current ddos fiesta. Preventative methods such as reevaluating the ISP or hardening the datacenters should be considered years ago.

But is dropping connections / only allowing established connections enough if the SYN packets themselves are consuming the entire bandwidth of a server?