DoS Attack Forces EVE Online Offline

Resorting to the out-of-band messaging that is Facebook, CCP Games has announced that "At 02:05 GMT June 2nd, CCP became aware of a significant and sustained distributed denial-of-service attack (DDoS) against the Tranquility cluster (which houses EVE Online and DUST 514) and web servers."

Wow, finally a timely Slashdot story!

[GodfatherofSoul]

I was just wondering why I couldn't log in! I criticize you guys a lot, gotta give you props this time.

Re:Wow, finally a timely Slashdot story!

[MtHuurne]

Now we know what Slashdot editors do all day ;)

Re:

[ducomputergeek]

Really? I thought they used the immense power of the cluster that powers this site to mine bitcoins.

Re:Wow, finally a timely Slashdot story!

[powerlord]

and what do they do with the Bitcoins? Trade them for PLEX obviously.

Re:

[Dahamma]

That would explain why the site itself loads so slowly...

Re:

[Impy the Impiuos Imp]

It was Eve Online, not My Little Pony Online.

Re:

[Anonymous Coward]

Horsefucking is en vogue on Slashdot I see. EXCELLENT.

This isn't /mlp/.

Re:Wow, finally a timely Slashdot story!

[conspirator23]

All it means is that a Bitcoin angle to this story will be revealed later.

Re:Wow, finally a timely Slashdot story!

[fuzzyfuzzyfungus]

All it means is that a Bitcoin angle to this story will be revealed later.

The raspberry Pi is working as fast as it can; but the angle isn't quite finished yet...

Re:

[foniksonik]

Don't you mean the 3D printer...

EVE Offline

[Anonymous Coward]

That is all.

Re:

[ThePeices]

EVE Offline. That is all.

Hey, I see what you did there! Ive spent the last 6 minutes rolling on the floor laughing my ass off, and only now have the breath left to sit down and write this, such is the sheer power of your mastery of wit.

You put comedians the world over to shame, your stand above us mere mortals, and we all bow to thee; God of Comedy.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[stackOVFL]

Yeah, well now we know why /. is so slow: all those spelling mistakes.

Re:

[AmiMoJo]

I laughed off my ass once, it was a quite nasty fall.

Internet Spaceships

[Airdorn]

They need to get this sorted ASAP. I have important Internet spaceship business to tend to and it really can't wait any longer.

Re:

[Pino Grigio]

Yea me too. My manufacturing jobs have finished cooking! (Although obviously with the cluster offline I've got nobody to sell them to).

Re:

[joelleo]

I was in the process of joining a new corporation :/ Approximately 50b in assets just sitting in space in null sec at the moment while I get all my chars moved over and able to dock. Awesome.

Re: Internet Spaceships

[Anonymous Coward]

I'll keep you safe. Please post system and nearest celestial and I'd be happy to provide escort once the server is back online

The wives of EVE

[Anonymous Coward]

Will rejoice

Re:The wives of EVE

[powerlord]

Will rejoice

All the countless Wives, Girlfriends, significant others, etc. ... wait ... I think I know who might be behind this. ...

Re:The wives of EVE

[Corbets]

Wives? Girlfriends? Obviously, you've never met anyone who plays EVE Online.

Re:

[Vrekais]

Myself and almost everyone I play with has a girlfriend, or boyfriend so have you actually met any one who plays EVE?

Re:

[Bengie]

Many even have kids in the background. I get "brb, gotta put the kids to sleep" and other stuff.

So...

[fuzzyfuzzyfungus]

What kind of intricate in-game machinations will this turn out to be connected to?

Re:

[GreenTom]

Nice thought! Have you read Surface Detail?

Re:So...

[Pino Grigio]

Some people are speculating it's to do with TEST Alliance, as they're under a bit of pressure at the moment. It wouldn't surprise me if Eve played host to the kind of idiots who'd be able to do something like this. Certain aspects of the game are attractive to sociopaths. Then again I'm not a conspiracy theorist, so I'm thinking it's just a re-run of the last one, given that some of Lulzsec guys were jailed a few weeks ago for doing it some time ago [theregister.co.uk].

Re:

[OverlordQ]

> Some people are speculating it's to do with TEST Alliance

Aahahahahahah, is there nothing TEST isn't blamed for? In Planetscape 2, TEST has been accused of working with SOE to arrange for the servers to crash to help them out.

Why

[Anonymous Coward]

Why would anyone launch a DoS attack on EVE online servers?!"
Nerds should not attack other nerds. :P

Re:

[Sperbels]

To extort money from them?

Re:Why

[osu-neko]

Nerds should not attack other nerds. :P

Um... you haven't actually played EVE Online, have you? xD

Re:

[meerling]

I'm surprised it hasn't happened earlier.
Or perhaps that it wasn't noticed earlier.

Re:

[Anonymous Coward]

It has.

Re:

[Bobfrankly1]

I'm surprised it hasn't happened earlier. Or perhaps that it wasn't noticed earlier.

Apparently you've never been mining in high sec...

Re:How can you DDoS an MMO?

[fuzzyfuzzyfungus]

Why do the gaming servers respond to requests from non-players?

I assume that there is, at very least, some sort of authentication service that has to evaluate a request to determine whether or not it comes from a player...

Re:

[GloomE]

Initially it looked to me like an attack on their DNS servers, not the game itself.
A dig would work or not depending on which name server you were randomly allocated.
If you managed to resolve the required names you could get in and play just fine. Was fun having NPC null almost to myself.

They've brought the lot down now of course, but don't just assume that it's a problem with the game code.

Re:

[Hentes]

It's enough to do authentication once, after which just remember the IP. You don't have to authenticate every request.

Re:How can you DDoS an MMO?

[sgbett]

You should be in charge of the whole internet. You got it all figured out.

Re:How can you DDoS an MMO?

[jeff4747]

You should probably learn how networking actually works. It will avoid making posts that are this bad.

The way the server knows what IP the packet came from is by the IP layer of the stack processing the packet. Which means the packet triggered work by the server, and the DDoS can do it's job.

Your "solution" requires the server to predict that a non-player IP will be sending a packet and reject it before examining the packet at all. But that's assuming the DDoS is sending random packets.

If the person behind the DDoS doesn't have enough nodes to carry out the attack above, then they can send bad "login" requests. The server will have to process them completely in order to reject the login.

Re:

[ThePeices]

Why do the gaming servers respond to requests from non-players?

Ahhh, this question is unanswerable as it is one of the few true mysteries of the universe, like magnets ( wtf, how do they work!), velcro, and the location of the proverbial "other sock".

Why do gaming servers respond to requests from non-players? Well dude, the answer might as well be 42, nobody knows.

Re:

[angel'o'sphere]

Why do the gaming servers respond to requests from non-players?
I doubt they respond.

But the packet coming in as request get routed through the game servers network _until_ one part of the network decides to drop the packet(s) because they are illegit.

DDoS attacks basically always flood your network, consider it like a traffic jam in a city. You delete cars from the road as you recognize them as part of the DDoS but new cars coming into the city all the time cause more jams at the entrances to the city.

Re:

[Bengie]

Don't you know? Most upstream providers have Layer7 firewalls that can drop non-player EvE logins. The secret is the magic pixie dust.

Re:

[angel'o'sphere]

Pfft ...
What nonsense are you talking about?

How should an ISP know wheather a package you snt upstream is legit or ot?

Go smoke something else ...

Re:How can you DDoS an MMO?

[fuzzyfuzzyfungus]

*sigh*

You need to log in to the game at some point.

But only once, unless you are the sort of coward who logs out!

Re:

[Anonymous Coward]

unless you are the sort of coward who logs out!

Pfft, I'm the sort of coward who doesn't even log in!

Re:

[Pino Grigio]

Haha. ^ mod up.

Re:

[meerling]

Player generated content = marketing spiel for "we don't actually put in any content, we just let the anti-social types attack everyone".

Re:

[GodfatherofSoul]

Because in networking, every new connection comes from a "non-player" until you're authenticated as otherwise.

Re:

[zachie]

Actually, even if you can distinguish, is no way to prevent any host of the Internet from sending traffic to you. If you gather enough upstream bandwidth, you can clog any pipe you want. Some research works have proposed ways to amend this, for example this [intel-research.net].

Eve Offline

[Anonymous Coward]

For those hopelessly addicted, there are two solutions:

1) practice on the singularity server (aka test server)
2) play the flash version [znaor.hr].

Re:

[Bengie]

Their entire network is down.

Re:

[Anonymous Coward]

3) get a life.

Re:

[fazig]

You expect me to run missions in a gallentean shuttle?
I'd rather watch grass grow, which is almost as entertaining as mining is in EVE Online.

I suggest: Go for a walk, take a shower, get some sleep. Do things that can't done sufficiently during the daily downtime of about 15 minutes. Or if it has to be EVE related map out the skills you are going to learn on your characters for the next few years in EVEmon or create a whole fleet setup for PvP in your EFT or Pyfa.

When the servers are back on CCP m

Re:

[TheNastyInThePasty]

3) Go to drive.google.com. Click Create. Choose Spreadsheet. Enjoy!

Re:

[rrhal]

Are we sure it was DDoS and wasn't the Goons all trying to log on en masse.

Correction

[girlintraining]

It's not Facebook that they're updating from; It's Twitter. Their Facebook account is linked to Twitter.

Anyway, this isn't the first time the servers have been DDoS'd; This happens about every 4 months or so on average. And unfortunately, they've handled it about as well each time as you're seeing now: They tend not to announce the DDoS until hours after the news is all over the forums that people are experiencing mass disconnects and instability. And once the problem has been identified (late), their response is usually to kill all the servers, remove the BGP routing table entry for their network, and wait it out.

They don't have the capability of weathering DDoS attacks; Though they claim otherwise, history tells another story. It has to do with the fact that their game depends on a cluster architecture that is not adaptable to something like Amazon cloud, or any kind of scalability. I don't really want to get into details here because it gets really technical, but basically it comes down to data syncronization within the cluster requiring very low latency between nodes. And that means you can't locate the nodes off-site, and proxying is only of limited utility.

They tried proxying the front-end for accepting connections and authenticating users, because that's what has been targetted in the past and is one of the few components that can be moved. The current DDoS attack though is generating large numbers of connections that look the same as legitimate connections, so the proxies are allowing them. Rather than just throwing as much bandwidth as they can at the network as in the past, they're now crafting their traffic.

I suspect the reason the attack is being launched now is because in a few days they're releasing a new patch of the game which will change the network protocols used by the client... their hack might not work then, so they probably decided to launch it now before it becomes useless. They are hitting people on the weekend because it's when the most users are on... so it's most likely to be noticed.

Re:Correction

[Dachannien]

I don't really want to get into details here because it gets really technical,

This is Slashdot. What else is Slashdot good for, if not "really technical"?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Correction

[Phrogman]

Increasingly /. is all about pointless uninformative one line comments. In that its very much like reddit. I used to come here for interesting stories and responses, but now I have to wade through 100 pointless quips to get to one informative one.

Re:Correction

[PhxBlue]

I used to come here for interesting stories and responses, but now I have to wade through 100 pointless quips to get to one informative one.

A hundred and one now, so thanks for that. :P

Re:

[xtracto]

I don't really want to get into details here because it gets really technical,

This is Slashdot. What else is Slashdot good for, if not "really technical"?

You are 10 years late to that slashdot who liked to discuss technical stories such as deCSS, Sony Rootkit and Fyodor's nmap.

Re:

[xtracto]

uuuh no, the story was an actual technical story with technical details (from Mark Russinovich) ( http://it.slashdot.org/story/05/10/31/2016223/sony-drm-installs-a-rootkit [slashdot.org] ), and there is actually insightful and interesting technical and political discussion in the thread.

Re:

[Anachragnome]

"They don't have the capability of weathering DDoS attacks;..."

I play a private WoW server called Molten-WoW. This weekend they held a couple of PvP tournaments--they've been under constant DDoS attack since Friday night, right up to.......now. It is still occurring. Interestingly, their DDoS protection software keeps the servers up--the problem is that one in five people cannot connect as a result of false-positives on the part of the software. It is also common for attacks to happen for no obvious reason-

Re:

[aaronb1138]

My bets would be most of the DDoS in the independent WoW server community is sponsored by Blizzard or Blizzard employees in an attempt to stop piracy (under corporate software developer's default assumption that anything they don't control is piracy).

Sure, most of the attacks come from Russia and southeast Asia, but the money that pays them comes from someone else. The accusation that other server runners are part of the DDoSing is just good propaganda to keep people looking in the wrong direction.

Face it

Re:

[ImprovOmega]

Official, Blizzard WoW was glitchy as hell for a few hours on Sunday too. I don't think they were behind tanking their own systems too.

Re:

[Pino Grigio]

No, more likely it's because the idiots who DDOS'd them last time went to jail a few weeks ago [theregister.co.uk].

All we need is the HOSTS file guy

[Cito]

Where's the HOSTS file guy to post his 10 pages of spam on hosts file

and blame a bad hosts file for the reason eve is offline

har har

Re:

[VortexCortex]

Sadly, I fear '127.0.0.1 slashdot' is to blame. Live by the hosts file, die by the hosts file... He slashdotted himself.

Re:

[Cito]

haha!

I never could figure what was up with that guy, his posts started off halfway making sense then turned into the schizophrenic rambling of a mad man

all over a freaking hosts file

Re:

[infonography]

Russian DDoS operators take their life in their own hands by this, I have fought with and along side Russians (on Eve) and they take this very serious.

Re:

[powerlord]

Considering they've managed to take down Serenity (the China specific EVE on-line server) also ... I'd say the usual haunts of DDoS operators might not be as safe as they think they are.

Oh, for anyone who wishes to track it:
http://eve-offline.net/ [eve-offline.net] and
http://eve-offline.net/?server=tranquility [eve-offline.net]

Re:

[ZeRu]

I believe that other servers were taken down by CCP as a precaution measure.

Logical reasons for a DDoS would be money related

[infonography]

Theory 1 They want to drive down the stock price by sullying them before the big release this week
Theory 2 They are butt sore over their podding by Goonswarm, or Test, or some noob named 5t@rTw33rp
Theory 3 Collect Underpants
Theory 4 ????.
Theory 5 PROFIT

Eve Online

[dicobalt]

aka Spreadsheet Simulator 2013?

Re:

[Nocturnal Deviant]

If MS Excel looked like eve, I would switch to data entry.

Re:

[Pino Grigio]

I do actually have a spreadsheet for Eve. Only for manufacturing costs of certain things though.

Everyone Vs Everyone Online!

[Nostromo21]

Couldn't have happened to a more wretched hive of scum and villainy in all the virtual worlds!

(obviously, that comment excludes carebears & all non-sociopath gamers :)

Kim Jong-un

[DQKennard]

It was the North Koreans. Supreme Leader Kim kept getting boned within a few minutes of logging in and, being the most awesomest gamer in the world, instructed his people to take down the whole nest of conspiring cheaters.

Re:

[Nostromo21]

Re your sig: if you think that belief in a monotheistic, infinite, possibly personal, possibly triune, deity is a popular choice these days...then I find your lack of faith stupefying! Just sayin...

Cheap higher speed bandwidth doesn't help

[0x537461746943]

It doesn't help that those infected hosts now can get 150mbit/sec upload speeds... Verizon only charges an extra $10 a month for 50/25mbit service. It wouldn't take many of them to kill a lot of decent sized sites.