How we protected Albion Online against complex and massive DDoS attacks

About Albion Online

Albion Online is a sandbox MMORPG set in an open medieval-style world.

The game allows players to combine armor and weapons for numerous different playstyles, explore the world, challenge other adventure-seekers in exciting battles, conquer territories, craft items, and build their own homes.

The game’s official launch was in 2017, and in April 2019 it went free-to-play.

Today, Albion Online is a true cross-platform MMO available on Windows, MacOS, Linux, iOS, and Android.

Why did Sandbox Interactive choose our hosting?

The free-to-play launch brought huge amounts of players into the game from all over the world. Server stability, scalability and an effective DDoS protection are paramount for an online game of this scale.

Thanks to our successful track record of designing and supporting infrastructure for large video game developers like Wargaming and RedFox Games, Albion Online’s developers entrusted hosting to Gcore. After all, we are the only hosting company with Guinness World Record-awarded infrastructure!

DDoS attacks after free-to-play

DDoS attacks are a common scourge in the games industry, particularly for successful publishers. Sandbox Interactive was no exception: immediately after the free-to-play release, the game was targeted in a series of coordinated attacks, more intense than usual.

The solutions we used to reflect DDoS attacks on client servers previously did not fit the Sandbox Interactive case, as Albion Online was attacked via UDP Flood.

What is Generated UDP Flood?

Generated UDP Flood is a distributed, artificially generated traffic. An attacker usually preliminarily explores the intricacies of the game application and then generates UDP packets from spoofed IP addresses (on average, more than 100,000 unique IP addresses can be involved in a single attack).

What makes protecting against such attacks difficult?

The IP address and port of the server (in this case, the address of the game server and the application port) are targeted. In particularly difficult cases, an attacker can guess the size (window) of a legitimate packet and generate the necessary bitrate for the SRC_IP and DST_IP pair (one flow). This effectively obstructs filtering. For example, you cannot use countermeasures that are filtered on the basis of rate-limiting. If an attack is well-generated, it is almost impossible to distinguish legitimate (game) traffic from illegitimate traffic by means of analysis.

In the real world, the game application can encrypt UDP payload (e.g. DTLS), which renders countermeasures such as regex_based_filtering useless. Finding a regexp close to the one used by the application is a difficult but possible task. It all depends on the attacker’s persistence.

There are not that many countermeasures to filter such attacks.

Which filtering methods were required?

Effectively reflecting DDoS attacks on Sandbox Interactive/Albion Online required support for all existing filtering methods:

• Rate-limiting: This countermeasure uses various techniques for limiting traffic, for example via the SRC_IP and DST_IP pair. In this case, though, part of the traffic will still reach the server, and an attacker can guess an approximate bitrate of the legitimate application. For dynamic applications, this measure is not efficient.
• Regexp-filtering: You can either skip or discard packets that match regexp in payload. This is quite efficient, but for some types of applications it is not always possible to write a regexp for whitelisting, which means that we can only discard “bad” packets. In these cases, this method becomes extremely inefficient.
• Whitelisting: This implies a server login where the player is pre-authenticated, and his or her IP address is added to the whitelist (for example, via the API). Everything contained in the whitelist is allowed at the game port, the rest is discarded. The method has its drawbacks: it cannot always be architecturally appropriate, and it is difficult to maintain the current state of whitelisting (the user can close the browser while still being logged into the system), and the use of Idle Timeout may lead to the system blocking the player’s session after a certain period of time, forcing reauthentication. In addition, some operators can create NAT from a pool of addresses. Doing so may result in the user’s IP address being changed during the game.
• Blacklisting: This works the same way as whitelisting, but in reverse, i.e. “bad” addresses are added to the list. (In fact, there are not many cases where this countermeasure will be effective.) As a result, the main problem was that there were not many solutions on the market that supported all of the above filtering methods. Ours, however, does!
• IP geolocation filter: This involves blocking IP addresses based on geographical location, such as from high-risk countries. But this countermeasure is also quite easy to bypass.

The solution we proposed

To protect Albion Online against DDoS attacks, we suggested using the Gcore software suite.

This is one of those solutions that not only support all of the above countermeasures, but is also brand-new and unparalleled in attack mitigation technology.

Gcore’s Challenge Response (CR) is one such unique method. This is a stand-alone protocol; integrating it into the client allows passing the challenge for the application, thus validating the IP address of the client.

The result: Albion Online is now securely protected

Thanks to Gcore’s Challenge Response (CR), we have reliably protected Albion Online. The game remains accessible to users all around the world.

As our customers’ experience shows, to attain and maintain success in the gaming industry, it is important not only to create exciting game worlds, but also to have a powerful and invulnerable infrastructure…

…and that’s what we at Gcore can provide for you.

Select a server and get protected against DDoS attacks