Sony and Microsoft saw their online gaming networks, PSN and Xbox Live, toppled over the holidays by hackers who used a relatively simple attack to jam up the sites. The technique, known as DDoS, is so straightforward that it begs the question why two of the world’s most sophisticated entertainment and computing giants were not better prepared to defend themselves.
As the gaming networks were completely disabled, players around the world went without Internet-connected play from Christmas Day into Dec. 26. “Yeah I love the Xbox but I feel sorry for every gamer affected by the outages! We pay good money for Live and PSN. #NotGoodEnough!” said gamer @DAZ3600, in a Tweet.
It’s not like Sony and Microsoft didn’t know they were in the crosshairs. Sony unit Sony Pictures Entertainment was infiltrated by the now infamous attack on “The Interview,” which the U.S. alleges originated in North Korea. Lizard Squad, the hackers that hit the PlayStation and Xbox networks on Christmas, actually warned Microsoft that they were planning a holiday hit.
So, I'm wondering, how's Xbox Live doing these days?
â€” R.I.U. Lizard Squad (@LizardMafia) December 24, 2014
Lizard Squad didn’t break bank-level encryption to achieve its mission — it simply used an advantage in numbers, recruiting infected computers to bombard the victims’ servers like ants on prey. The Distributed Denial of Service attack is built upon strength in numbers. Here's how it works:
Computers receive Internet data by pinging servers around the world and returning Web pages or other content. A DDoS attack occurs when thousands of computers continually bombard the same server, or group of servers, to deliberately overtax it. It’s the method that Lizard Squad used to boot gamers offline for the holidays. It's also how the entire country of North Korea was knocked offline last week in an attack that some believe was a retaliatory strike by the U.S.
DDoS attacks come in a few variants, according to Anirban Banerjee, co-founder of malware and Web security company Stopthehacker. One of the most intimidating is the reflection attack. Computers on the Internet talk to each other to synchronize their clocks within a degree of accuracy, making use of a set of rules called Network Time Protocol. There's a vulnerability in that there's no double-check to see if a given computer has actually asked for the time. Phony time checks, multiplied out over many thousands of computers working in conjunction to bombard the same server, and a hacker has a very powerful DDoS weapon.
"It's the biggest bang for your buck," said Banerjee. "Suddenly your server has 50 million pieces of information coming for it that it didn’t ask for."
Sony did not respond to a request for comment. Microsoft representatives declined to answer specific questions. In a statement, the company would say only that it was "aware some users were unable to sign in to Xbox Live. Our teams worked throughout the holiday to resolve the issue, and Xbox Live core services have been restored.”
Microsoft may have the most to lose here in terms of reputation. Like Sony, it sells video games and consoles. But it also has built a multibillion-dollar business around selling security software and hosting other companies’ computing operations on a cloud service called Azure, which itself suffered an outage on Nov. 18. The fact that it can’t guarantee its own security may raise big questions in customers’ minds.
Xbox Live was hosted by a mere 500 servers at Microsoft data centers when it launched in 2002. The company upgraded that to a whopping 300,000 hardware units when it unveiled Xbox One last year, according to Data Center Knowledge. But it still wasn’t enough to beat back Lizard Squad. “There is no 100 percent defense against this. One thing you’ve seen in 2014 is that no matter how much money you throw at this problem, it’s a continuous game,” said Lawrence Pingree, a cybersecurity analyst at Gartner. “On the Internet we’re playing art-of-war directly, but it’s not physical; it’s not with tanks.”
Here's another dirty secret from the DDoS world: Such attacks are relatively affordable. There are forums on the Deep Web where individuals can buy access to "botnets," networks of many thousands of compromised computers ready to run such an attack. So-called botherders build their herd by spamming email accounts with links that, when clicked, install malware to a user’s computer. Access to these botnets can then be sold online for as cheaply as one penny per computer. “If you spend 10,000 dollars, you easily have the biggest gun in the room. It really is that simple," said Banarji.
Lizard Squad's stated motivation was to call attention to lax computer security at its targets. DDoS attacks "make a statement, they're loud and noisy," said Kevin Haley, director of Symantec Security Response. "That’s really what they want. You could break into someone’s place, steal something and run out. But there's no glory in that. By doing this, hackers make the companies they hit aware of it, they make everyday people aware of it and it makes the paper."