It’s the evening and numerous video game players are getting home from work and school–but when they try to log into their favorite game but in this scenario they can’t because the servers are down. Not because of a configuration error, or an employee accidentally flipping the wrong switch, it’s because some jerk on the Internet has felt the need to hit the network with a Distributed Denial of Service (DDoS) attack. This is a growing issue as we’ve seen from 2011 with LulzSec targeting gaming servers and now also in late 2013 with DerpTrolling doing the same.

Cyber vandals and goths rampaging across the Internet causing mayhem is not going away. In fact, according to CloudFlare CEO Matthew Prince believes that 2014 will only see the problem get worse.

“We have seen attacks that are over a terabit in scale and we’re just teetering as an industry on the first significant massive DDoS internet outage, which will have a big impact and cause damage,” Prince told SiliconAngle in an interview. “We can fully predict that the first of these events will be happening, you can expect that in early 2014.”

What does this era of DDoS entail and how does a gaming host stay afloat in these turbulent times? SIliconAngle went to Jared Hirst, managing director of Servers Australia, and Shawn Marck, the CEO of Black Lotus to get some answers.

Servers Australia vs. mayhem and DDoS on the high seas

Servers Australia is managed hosting company who house numerous high traffic websites down under including none-too-few gaming services. For some, just being on the Internet means catching the brunt of DDoS-attacks–and that’s only amplified for gaming services who become the targets of up-and-coming ne’er-do-wells looking for fame. For companies such as Servers Australia, being 200% larger than the next-biggest Australian gaming network service provider means that it has to be prepared for two hundred percent more potential DDoS.

As a host, Servers Australia suffers a lot of attacks. “Unfortunately, denial of service attacks have become a daily thing to hit our network,” said Hirst about the nature and frequency of DDoS attacks. “We face various scale attacks each and every day, and they are getting more and more sophisticated day by day.”

At first, Hirst says, sources of DDoS attacks were reported to the Australian Federal Police–but with the international nature of the Internet and therefore attackers comes from offshore, this means that most attacks (about 90%) cannot be dealt with by Australian authorities.

Every time a DDoS attack menaced the Servers Australia network the company would attempt to “black-hole” the IP addresses being attacked (or ask their upstream provider for help.) By seeing their target vanish from the Internet, most attackers would then think the job was done and move on–though the more canny or vicious would just move on to hitting SA’s core infrastructure. This may have worked alright in the beginning, but with botnets of more significant power

So, Servers Australia turned to Black Lotus to help mitigate and defer the ever-increasing DDoS attacks. DDoS attacks hounding gaming servers has been around for quite a while, and Black Lotus finds itself amid company such as Akamai–who provide a similar service and spoke about DDoS with SiliconAngle in 2011. As might be expected, 2014 treats have only gotten worse.

Hosting providers need backup when it comes to DDoS

Outfits such as Black Lotus run almost-literal interference for hosts by sitting between their networks and the outside world (or greater Internet) and acting a sort of buffer to stop the gusting DDoS winds and provide a safe harbor.

While DerpTrolling was out trolling (and DDoSing) Black Lotus watched the small crew hammer their targets. The interesting thing about the behavior of DerpTrolling was that they used a different tactic than had been seen before–the trolls in this case used NTP (Network Time Protocol) to amplify their DDoS. The use of NTP is new for amplification attacks, while using DNS is the most common.

When asked why gaming hosts were targeted by DerpTrolling, Shawn Marck postulated that it was part of the psycology of the attacker. Looking at DerpTrolling’s Twitter account–the primary way anyone knew what target would get hit next–the audience that they seemed to be aiming for fame amidst was steeped in the gaming scene.

As for the attack, Marck said Black Lotus watched it happen, “DerpTrolling’s attack pattern wasn’t multiple-targets-at-once, it was like a firehose moving from one target to another serially.”

The DDoS from DerpTrolling wasn’t as large as many others seen; but the unique nature of the reflection attack changed the sophistication of the attack.

DDoS tools were reporting 100 GB/s (but between 30/40 GB/s seen by Black Lotus) as the days went on the attacks got smaller and smaller as patches were disseminated to reduce the amplification and other networks started getting used to the nature of the attack and therefore tamping down on it more quickly.

Stopping the attack by detecting and filtering

Black Lotus provided protection for Servers Australia and other targets by monitoring traffic heading from the boundaries of the network toward targets. As the nature of DerpTrolling’s attacks became more obvious (and the use of NTP made it easier to fingerprint.) It became easier for Black Lotus to detect the anomalous traffic, filter it, and then deliver clean, “untrolled”, traffic to customers.

Of course, Servers Australia is grateful for the excellent work Black Lotus has done for their servers and customers.

As for tips to managed hosts and gaming sites who want to do business in times of LulzSec and DerpTrolling (and numerous unknown trolls looking to cheat or make a name for themselves) going it alone isn’t an option anymore.

“My suggestion is to just spend the money and get outsourced protection,” Hirst explains. “We initially tried to do the protection ourselves and this was great for a little while, but the threats and technologies are changing daily. Let someone else manage the threats and collate the data and analytics to start blocking the threats.”