You have Cookie disabled in your browser. Displaying the site will be incorrect!

How we protect Wargaming against DDoS attacks

Posted: 14.05.2021
Wargaming is one of the world’s largest publishers and developers in the free-to-play MMO market. Wargaming games’ audience, including the flagship projects World of Tanks and World of Warships, consists of more than 200 million users on all major gaming platforms.

The situation

In 2020, the structure of global traffic changed significantly. Our research has shown a dramatic increase in content consumption in the online gaming and entertainment industry. Along with the growing interest in these industries, the number of DDoS attacks targeting infrastructure and game servers has grown.

Infographic showing traffic spike in games (+ 41%) and entertainment (+48%) - 2019 vs 2020 comparison

One of the targets of the cybercriminals was our customer, Wargaming.

How game development is DDoS’d in 2021

In the recent years, attacks have become smarter and more sophisticated.

Increasingly, they are directed at web applications themselves, rather than at specific servers (L7 of the OSI network model). At the same time, attackers very often try to imitate legitimate gaming traffic, which makes it difficult to detect and repel such attacks.

To prevent an attack and separate legitimate and malicious traffic, the traffic must be received and processed. Therefore, high network capacity and a large number of high-speed channels are the main requirements in the fight against DDoS attacks. If the channels are overloaded, the traffic simply cannot get to the DDoS protection system for subsequent cleaning. In such a case, not only the protected customers suffer, but the entire location.

What attack hit Wargaming

On February 18, 2021, the G‑Core Labs defense systems detected an attack aimed at Wargaming servers.

The total volume of the attack was 253 Gbps, and it lasted about 15 minutes. The attackers used the UDP Flood method.

What is UDP Flood

UDP Flood is distributed, artificially generated traffic. The attacker, as a rule, first studies all the subtleties of the gaming application and then generates UDP packets from fake IP addresses (on average, more than 100,000 unique IP addresses can be used in one attack).

How we repelled this attack

By using filter rules to protect against well-known amplification attacks, we deflected some of the malicious traffic at our border routers. We redirected the other part to our cleaning system in order to analyze this traffic deeper and make a more informed decision about blocking.

DDoS Protection product owner at G‑Core Labs

Andrew Faber

Attacks with a capacity of 200–300 Gbps are no longer uncommon today. It’s important that the vendor’s cleanup center that ensures customer protection can handle large amounts of traffic with minimal latency. We at G‑Core Labs do this by using a distributed server system and balancing traffic between these systems.”

DDoS Protection product owner at G‑Core Labs

Andrew Faber

Our method is based on the transfer of a secret key between the client application and the cleaning center, which is guaranteed to separate legitimate and malicious traffic. This way, we ensure the safety of the customer’s infrastructure and the high-quality cleaning of malicious traffic. If a powerful attack of several hundred gigabits per second is detected, traffic is distributed across several servers and several cleaning centers, thus avoiding overloading the server or even an entire server cluster.

DDoS Protection product owner at G‑Core Labs

Andrew Faber

“As a result, the attack on Wargaming resources was successfully repelled, game server users continued to enjoy uninterrupted service, and the server was available to users all over the world for the whole time.”

DDoS Protection product owner at G‑Core Labs

Andrew Faber

How we keep game servers available during a DDoS attack

Attacks are detected and traffic is cleaned automatically in traffic validation mode.

1. The protection is enabled per request.

2. The protection is configured for your infrastructure individually. For maximum efficiency, we analyze your traffic profile and come up with a set of effective measures.

3. We immediately report any traffic anomalies to tech support. We usually detect attacks within 1 minute.

4. If a cleanup decision is made, all inbound traffic is directed through the filtering platform. This results in only clean traffic arriving at your servers via a dedicated channel.


How we successfully repel any DDoS attack

1. Huge bandwidth of the G‑Core Labs network allows us to process tens of terabits of traffic.

2. Our advanced cleaning system is capable of receiving, detecting, and neutralizing attacks of hundreds of gigabits per second.

3. The comprehensive protection algorithms preclude the possibility of bypassing our cleaning system, even if the attackers use traffic similar to legitimate gaming traffic to attack.

Subscribe to a useful newsletter

Favorable offers and important news once a month. No spam

BANDAI NAMCO Entertainment America
RedFox Games
SynEdge CDN Software
Momento Solutions
Wagner ICT
Stage Audio Works
Tell us what your business objectives are, and we will help you grow anywhere in the world