news

한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina

[text/observer.com lv dong editor/zhang guangkai]

"it is extremely rare in recent years that the number of attack commands has skyrocketed by more than 20,000 times overnight", "8 of the servers that issued the attack commands are in the united states, 3 are in the united kingdom, and the rest are distributed in many countries around the world", "china has released a game that topped the world. is anyone so unhappy?".....

recently, the launch of the first domestic 3a game "black myth: wukong" attracted global attention, with the highest number of online users on all platforms reaching 3 million. however, on the evening of august 24, the steam platform was attacked by a large-scale ddos network attack and suddenly crashed. players from many countries around the world reported that they could not log in to the game, and the number of real-time online users of "black myth: wukong" dropped sharply to less than one million.

for a game, if it is continuously attacked by the network for one day, the number of players will be lost by 80%. this is obviously fatal to the game. according to the data released by qi'anxin xlab, nearly 60 botnet masters launched the attack, and the attack instructions increased by more than 20,000 times overnight. in addition to steam's own servers, the steam servers of perfect world in china were also listed as attack targets. a total of 107 steam server ips in 13 countries and regions were attacked.

who is behind this cyberattack, what is the purpose, and how to prevent it? some cybersecurity industry experts tell us the details.

"this attack was clearly very targeted, with a total of four attacks. there was one on saturday (august 24) at noon, the attack lasted from 6 to 11 p.m., and it started again on sunday morning, which happened to be evening in north america. the fourth attack was at 4 a.m. on august 26, which happened to be evening in europe. the attackers seemed to deliberately choose to launch attacks during the peak online hours of gamers in various time zones to achieve the greatest destructive effect." qi'anxin xlab security expert told observer.com.

black myth: wukong game pictures

judging from the timing and geographical distribution of the attacks, as well as the strategy of targeting both domestic and foreign steam servers, the attackers' goal is clearly to disrupt the normal operation of the steam platform globally while focusing on disrupting the chinese market. this organized attack behavior reflects the attackers' strategic planning and clear targeting.

"overall, this incident has obvious political, ideological and geopolitical interest backgrounds. it may be a certain actor, or multiple actors. for the above reasons, they use the large-scale botnets they have or temporarily rent to carry out ddos attacks and disrupt the operation of the game." li baisong, co-founder of antiy technology group and deputy director of the technical committee, analyzed to observer.com.

in this cyber attack, professional terms such as botnet and ddos attack appear frequently. what do they mean?

ddos attack stands for distributed denial of service attack, which is a common means of network attack. in simple terms, attackers control a large number of computers (called "bots" in the industry) through software or system vulnerabilities and install malware. then, they are controlled by instructions to send a large number of junk requests to the target server, filling up the server or bandwidth resources and making it impossible for the other party to provide services.

"most ddos attacks are launched by large-scale botnet nodes, and botnets are formed through long-term automated intrusion and diffusion. there are numerous botnet systems of various sizes controlled by different black industry organizations around the world, ranging from small-scale ones with dozens or hundreds of nodes to large-scale ones with hundreds of thousands or millions of nodes. these botnets have become an attack infrastructure that can be rented by attackers," said li baisong.

a rough diagram of a botnet

according to the qi'anxin report, multiple botnets were involved in the attack on the steam platform. the main force was the so-called aisuru botnet, which claimed in its telegram channel that it had more than 30,000 bot nodes and an attack capacity of about 1.3-2t.

there are several common purposes for ddos attacks. the first is to paralyze the target server and cause certain economic losses to the target; the second is to create chaos and disrupt the normal operation of gamers or enterprises, which may be more commonly used by competitors; the third is to cover up more advanced attacks; the fourth is to express political motives or protests.

"in this attack, a total of 280,000 attack commands against the steam platform were observed," said a security expert from qi'anxin xlab. "steam servers in various regions around the world were attacked in turn, including the steam servers represented by perfect world in china. before the launch of black myth: wukong, we had never found that perfect world's steam servers had been attacked by ddos. the attacks lasted for several hours and were carried out during the peak hours of online players in various regions, which is extremely rare."

"during the peak period when many game players were online, the steam platform suffered such a large-scale ddos attack. it is hard not to think that this attack was not aimed at the domestic 3a game masterpiece "black myth: wukong". our team has been focusing on the field of large-scale botnet discovery and tracking for more than 10 years, but the organization and intensity of this attack still surprised us. china has released a game that has topped the world. is anyone so unhappy?" the security expert told observer.com.

since it is a malicious attack, can we find out the real culprit behind it? at present, it is difficult. from the perspective of the ddos attack process, the actual attacker or the operator of the botnet manipulates the main control end to send attack instructions to the controlled end (zombie), and then the controlled end executes the attack. however, the existing technical means of security companies can only locate the location of the main control end server, and cannot find out the real culprit.

attack command trends for attacks on the steam platform in the past year

"eight of the main control servers are in the united states, three are in the united kingdom, and the rest are distributed in south korea, russia, singapore, japan, indonesia, the netherlands, switzerland and other places around the world, with multiple ip addresses. but even if you know which country the server is in, it is useless because the chinese can also put the server in the united states, and it is difficult to locate the attacker behind it." said the aforementioned security expert.

li baisong also believes that there are different control methods for the operation of botnets. some adopt multi-level center control methods, while others adopt p2p control methods. it is very difficult to accurately locate the perpetrators of the attack behind the scenes.

"in large-scale ddos attacks, the physical location of the packet sending machine (the main control server) is of little significance. moreover, the operator of the botnet and the actual attacker are most likely not the same group of people. the two parties may be connected through the internet and settle accounts with virtual currency. they do not know who is who, and the rental cost is relatively low. in addition, the capture, blocking, linking, disposal, and statistics of attacks mainly rely on steam's security operations, and it is difficult for other third parties to obtain effective data." he said.

however, li baisong also added that security companies and teams can still look for traces and clues of attacks in the zombie network systems that have been monitored and paid attention to, including emergency departments can lock on some controlled zombie hosts distributed within the country to carry out joint analysis.

it is difficult to find the mastermind behind the attack, so is there any way for gaming platforms or companies to defend against ddos attacks?

the aforementioned qi'anxin xlab security expert analyzed to observer.com that enterprises can make careful plans in terms of network capacity to prevent such large-scale attacks; secondly, in the gaming industry, it is necessary to have an in-depth understanding of the normal user traffic volume and the abnormal traffic volume, so that when a network attack occurs, the abnormal traffic can be cleared out in a timely manner; thirdly, the deployment of a content distribution network (cnd) can resist ddos attacks to a certain extent; at the same time, it can also cooperate with operators to filter or restrict traffic at the network level and remove malicious traffic in a timely manner.

interestingly, this large-scale cyberattack targeting black myth: wukong was rarely reported by foreign media. in li baisong's opinion, the attention of security industry entities and organizations has become highly polarized, so western security companies will not pay attention to and analyze this incident.

in fact, ddos attacks are also extremely common in the gaming industry. data released by cybersecurity company gcore shows that in the first half of 2024, global ddos attacks increased significantly, reaching 445,000, a year-on-year increase of 46% and a month-on-month increase of 34%. the gaming and gambling industries remain the hardest hit by attacks, accounting for 49% of the total number of incidents in the first half of the year. the high risk and competitiveness of online games make them particularly vulnerable to such damage.