How we protect Wargaming against DDoS attacks

Wargaming is one of the world’s largest publishers and developers in the free-to-play MMO market.

Wargaming games’ audience, including the flagship projects World of Tanks and World of Warships, consists of more than 200 million users on all major gaming platforms.

The situation

In 2020, the structure of global traffic changed significantly. Our research has shown a dramatic increase in content consumption in the online gaming and entertainment industry. Along with the growing interest in these industries, the number of DDoS attacks targeting infrastructure and game servers has grown.

One of the targets of the cybercriminals was our customer, Wargaming.

How game development is DDoS’d in 2021

In the recent years, attacks have become smarter and more sophisticated.

Increasingly, they are directed at web applications themselves, rather than at specific servers (L7 of the OSI network model). At the same time, attackers very often try to imitate legitimate gaming traffic, which makes it difficult to detect and repel such attacks.

To prevent an attack and separate legitimate and malicious traffic, the traffic must be received and processed. Therefore, high network capacity and a large number of high-speed channels are the main requirements in the fight against DDoS attacks. If the channels are overloaded, the traffic simply cannot get to the DDoS protection system for subsequent cleaning. In such a case, not only the protected customers suffer, but the entire location.

What attack hit Wargaming

On February 18, 2021, the Gcore defense systems detected an attack aimed at Wargaming servers.

The total volume of the attack was 253 Gbps, and it lasted about 15 minutes. The attackers used the UDP Flood method.

What is UDP Flood

UDP Flood is distributed, artificially generated traffic. The attacker, as a rule, first studies all the subtleties of the gaming application and then generates UDP packets from fake IP addresses (on average, more than 100,000 unique IP addresses can be used in one attack).

How we repelled this attack

By using filter rules to protect against well-known amplification attacks, we deflected some of the malicious traffic at our border routers. We redirected the other part to our cleaning system in order to analyze this traffic deeper and make a more informed decision about blocking.

Our method is based on the transfer of a secret key between the client application and the cleaning center, which is guaranteed to separate legitimate and malicious traffic. This way, we ensure the safety of the customer’s infrastructure and the high-quality cleaning of malicious traffic. If a powerful attack of several hundred gigabits per second is detected, traffic is distributed across several servers and several cleaning centers, thus avoiding overloading the server or even an entire server cluster.

How we keep game servers available during a DDoS attack

Attacks are detected and traffic is cleaned automatically in traffic validation mode.

• The protection is enabled per request.
• The protection is configured for your infrastructure individually. For maximum efficiency, we analyze your traffic profile and come up with a set of effective measures.
• We immediately report any traffic anomalies to tech support. We usually detect attacks within 1 minute.
• If a cleanup decision is made, all inbound traffic is directed through the filtering platform. This results in only clean traffic arriving at your servers via a dedicated channel.

How we successfully repel any DDoS attack

• Huge bandwidth of the Gcore network allows us to process tens of terabits of traffic.
• Our advanced cleaning system is capable of receiving, detecting, and neutralizing attacks of hundreds of gigabits per second.
• The comprehensive protection algorithms preclude the possibility of bypassing our cleaning system, even if the attackers use traffic similar to legitimate gaming traffic to attack.

Enable infrastructure protection