I just stumbled across an enormous outcry about another attack by the “LizardSquad” against DBG’s (former SOE) Games that were allegedly the outcome of a few angry posts on Twitter by DBG’s CEO John Smedley. (Storylink)
Along with the usual “fixit fixit fixit” there was also a lot of guesses thrown out about the size of the genitals of a 14-year old fin. What startled me though is the sheer lack of knowledge when it comes to the gamers themselves. So please, let me help and explain how this magical and dangerous DDoS stuff works.

Lets start at the beginning.

The most obvious reason why a 14-year old brat can cripple a whole corporation (Sony, Microsoft, …) is that there are a lot of idiots on the internet. This has nothing to do with skill but with criminal energy and in the case of that specific 14-year-old, a lack of possible jurisdiction. The process is simple, you buy a bot kit from a website for a few bitcoins or simply with stolen credit cards, package all the functions you need and upload it as several variants to sharing portals as highly anticipated no-cd cracks, key-generators, aimbots and the like. Then there are millions of idiots that will download and run this shit, enabling that 14-year old brat with an army of infected computers, a lot of credit-card-numbers and email accounts. Now the kid can spend a lot of money on amazon and ebay, spread his bot to all the friends of the victims and grow his power. This kid will get bored eventually and will then seek attention from people who build their business on simple online services and blackmail them, while bragging about it on the internet. But, it could have been even simpler. A lot of the more intelligent cybercriminals rent their established power to whoever pays best. Like an Amazon Web Service specifically designed for DDoS attacks. You swipe your (stolen) credit card, they DDoS for you. There is even a Crowdapp to DDoS with all your anonymous friends, so easy, a trained monkey could operate it.

So, if it is that simple, why is it so hard to mitigate?

Also simple: the bots will send 100% legitimate requests from absolutely casual looking end-user-computers.Besides the high amount of traffic they are really, really hard to detect. So hard in fact, that upon the first rumors of Michael Jacksons death, Google’s search engine was hit so hard by the curiosity of its users, that they thought it was a DDoS attack.
Even worse, most of the hosting services, that advocate their help in case of a DDoS attack would just not work for the majority Gaming services, since they have to be optimized for low latency and easy access. The most prominent attack vectors at a gaming company are by far the login-server and the website, because both allow for easier attacks. If you would want to attack the game servers directly, you would have to emulate an authenticated game-client, which is far beyond the skill cap of most 14-year-old kids.

What can I do to help?

Don’t be an Idiot!

If you’re one of the persons that now turned salty and thinks “I cannot be fooled”, trust me, you’re wrong. Just think about how fast you open links that seemingly were sent to you from a friend via facebook or email. Be careful what links you click on and be even more careful what you download and open. Read before clicking! Example? Send this to your facebook wall, and see how many “haha’s” you get. http://ismycreditcardstolen.com/ (what can possibly go wrong?)

Limit internet access for your young ones!

If you have skimmed through the article over at Mr. Krebs website, you might have noticed that most of that “Hacker-Squad” are kids. So this whole issue could have been avoided by limiting their internet access to appropriate sites for kids and young adults. There are a lot of easy methods to do so. If you got kids, I strongly advise you to not give them free internet access. If you want to know more, visit www.saferinternet.org.

Use strong security apps, long passphrases (not words!) and settings!

Invest in a strong, proven antivirus and firewall solution. If you do not want to invest, please at least install some free tools to aid you a little. www.check-and-secure.com will help you get started and will also offer some free online tests to check if you are already infected. 

Use a whole sentence separated by a special character as password. This is not only much safer than a single word, it is also much easier to remember.

Do not ever call them “Hacker”

A hacker is by definition someone who’s using whatever comes his way in new creative and unpredicted ways. These little brats are cybercriminals and/or script-kiddies. Calling them hackers is no different then calling someone an artist for uploading dick-pics on Instagram.