A cybersecurity incident occurred at a popular online gaming company. A group of malicious actors performed a DDoS attack, sending a big flood of ICMP packets to the company’s gaming servers and disrupting their service for several hours. The attack was eventually resolved, but it had a significant impact on the company’s services and its users’ experience.
During the attack, Wireshark was used to inspect the network traffic in real-time. I noticed there was a flood of incoming ICMP packets, which is very unusual.
Here is a simplified version of what the log might of looked like:
attacker.machine > your.gaming.server: ICMP echo request shows that the attackers machine is sending a large number of ICMP packets known as pings to the gaming server.
your.gaming.server > attacker.machine: ICMP echo reply shows the gaming server responding to each of those requests with an ICMP echo reply.
The flood of requests and replies caused the server to become overwhelmed and unresponsive to real traffic.
Identify:
The incident management team began by auditing the systems and access policies that had been caught up in the attack, their goal being to pinpoint the security gaps that had been exploited. They found out attackers exploited the company’s lack of sufficient DDoS protection measures. The attackers used a network of compromised computers to send a massive amount of ICMP echo request packets to the company’s gaming servers. The servers were unable to distinguish between legitimate and malicious traffic, it responded to each request which caused a flood of ICMP echo reply packets. This flood of packets overwhelmed the servers, causing them to become unresponsive to the real traffic.
Protect:
The following measures were added to further secure the organization’s assets:
- Implemented Cloudflare to help protect against DDoS attacks.
- Made sure that firewalls are properly configured to block unwanted traffic.
Detect:
The organization can improve its detection capabilities by implementing network monitoring software to detect abnormal traffic patterns. The organization could also use AI-based threat detection tools to help identify potential DDoS attacks and other cybersecurity threats.
Respond:
The team responded by identifying and blocking the IP addresses generating the excessive traffic and they took non-critical services offline and restored critical services.
Recover:
To recover from the incident, several security measures were added such as; a new firewall rule to limit the rate of incoming packets, a source ip address verification was enabled on the firewall to check for spooked IP addresses on incoming packets, and a network monitoring system was installed to check abnormal traffic patterns.
Discussion