When the Xbox Live servers went down a few weeks ago, my mind darted back to college. Surprisingly, though, I wasn’t thinking about my computer security course. I was thinking of my time in Martial Arts Club.
There is a technique in Aikido known as Ikkyo (or “first technique” if you’re nasty). It’s a quick move in which you grab an opponent’s wrist with one hand and cup their elbow with the other. In one smooth motion you lift their elbow above their shoulder and rotate their arm. The result is complete control of your attacker’s arm, and by extension, control over your attacker too. Like many Aikido techniques, Ikkyo takes very little force and, when done properly, is very hard to resist. The reason for its effectiveness is that it turns your opponent’s rotator cuff against them. The human body has plenty of muscles that rotate your arm in your shoulder joint, but once your elbow is lifted above your shoulder, you have no muscles that can oppose rotation. That deep knowledge of human physiology is weaponized so efficiently that there is not much an opponent can do about it. Once your elbow is up, you’re done.
Like Ikkyo, denial of service attacks weaponize the physiology of the internet, which is why Microsoft seems to be having so much trouble with them recently. In the past two months, Xbox Live has been down for days at a time, seemingly due to targeted denial of service attacks. An internet hacker gang, New World Hackers, has claimed responsibility for the Xbox Live outages. They claim that their attacks were a demonstration: “We attacked Xbox to protest. Major companies like this have massive servers but no real protection. We want Xbox to update the protection they have, which isn’t much.”
When I asked a Microsoft representative about the recent outages, she told me that Microsoft had no evidence of a distributed denial of service attack on their end. However, given the number of people who were unable to use Xbox Live in the late weeks of February and the sheer variety of DDoS attacks, it’s unlikely that nothing happened. Unfortunately, it is very hard to ascertain whether a denial of service attack has occurred when looking at Microsoft from the outside. Server outages and network instability can just as easily be caused by faulty code, high usage, or more severe forms of cyber-attack. However, if we take New World Hackers at their word, this occasion can help show why denial of service attacks are so problematic for a company like Microsoft, and explore whether the success of these apparent attacks actually exposes a fatal security flaw in Microsoft’s server structure.
Just like Ikkyo, a denial of service attack utilizes the structure of the internet to bring down a targeted service. Almost all information on the internet is transported via Hypertext Transfer Protocol (HTTP) packets. Even though that name makes it sound like data is traveling on a futuristic teleportation system designed by robots, it’s actually a fairly simple addressing scheme akin to addressing a physical letter. HTTP packets have To and From addresses, options that communicate additional information about the packet (like the “fragile” sticker on a package), and check sums to ensure that everything arrived at their destination in one piece. Since all of these fields can be filled in manually by someone with the proper tools, it’s very easy to perform some digital spamming.
The designers of the internet structured it to quickly and efficiently transfer information, not detect misuse. Therefore, they created the internet with the idea that the brains (packet addressing and processing) would exist at its endpoints, which were expensive personal computers and servers. To facilitate this design, the routers (like the router you might have in your house, but faster and bigger) that do the bulk of the packet transferring were kept cheap, fast, and dumb. Routers can’t tell that one dude in Saskatoon is sending out thousands of HTTP requests a minute; they’re going to treat those packets the like any other HTTP packet. Routers route. It’s all they know. As long as internet protocol (IP) is followed, the “postal workers” of the internet will try to get those packets wherever their addresses indicate, regardless of how sketchy the packets might seem to a trained eye. The designers of the internet just didn’t foresee a world where information is at the fingertips of every man, woman, and child in the developed world, and where a group like the New World Hackers would find a way to misuse it.
Since the internet is structured in this way, companies that do business on one of the internet’s millions of endpoints have to do the bulk of the work to protect their services. Thus, the go-to attack for most low-level hackers is the denial of service attack, since those attacks exploit the straightforward behavior of routers. DoS attacks are relatively easy to perform when compared to other, more technical forms of attack, and they quickly provide the basest of internet satisfactions: ruining someone else’s day. The simplest form of DoS attack sends a blast of thousands to millions of HTTP packets at a targeted service very quickly. This packet explosion creates an internet traffic jam in which some resource of the targeted server, be it memory, database connections, bandwidth, or network connections, is so overwhelmed that it slows to a crawl.
And that’s it. There’s no elaborate hack through a shadowy back-door. No months of clandestine planning. A few people with Low Orbit Ion Cannons (yes, that’s the name of a real DoS tool) and fast internet connections can easily take down the website of a small business with little to no technical expertise. If you’ve heard people complain about “script kiddies” when talking about DoS attacks, this is likely the tool and the method that they’re complaining about.
While small-time attacks like these are a big problem on the internet, in large scale cases like all of Xbox Live going down for days, it’s far more likely that the perpetrators used a distributed denial of service attack with a bit more oomph. As its name implies, a distributed denial of service amplifies the intensity and obfuscates the source of a DoS attack by utilizing multiple computers. A regular, brute-force DoS attack perpetrated by a relatively unskilled hacker can be defeated with a simple IP ban or some analysis of the specific packets being sent. A DDoS attack makes a mockery of simple IP banning and packet analysis through sheer volume and variety. It’s easy to stop thousands of bodiless HTTP requests coming from one town in Ohio; it’s just difficult to do a damn thing about millions of requests coming from different regions of Brazil, China, Russia, India, and the US.
Modern DDoS attacks generate such huge amounts of network traffic by utilizing something called a botnet. A botnet is a network of computers that have been infected with malicious software that allows a hacker to hijack them remotely. These infected computers behave completely normally most of the time, except when they are given the command to spam a target. Once a command is received, each computer in the botnet starts sending out a specified type of internet traffic at a specified target. After a hacker group builds a botnet, DDoSing services becomes much easier and defending against it becomes nearly impossible.
A company like Microsoft is in an especially difficult position with Xbox Live because their services are so broad, latency dependent, and visible. Xbox Live hosts global online multiplayer, server-side profile information, and a digital storefront all at once. If an attack slows down any of those services even a little bit, thousands of players will notice. If a web page takes a few extra seconds to load, most users can’t even tell; however, if there’s a lag spike for 30 seconds in a game of COD, Twitter will hear about it! Even worse, Xbox Live’s international reach means that if only one region’s servers are under attack, it could affect matched players a world away. Microsoft is like Jackie Chan trapped in a henchman circle, their goal is to perfectly defend against simultaneous attacks on multiple fronts while their opponent’s only goal is to hit hard once. All of those factors make a service like Xbox Live a perfect DDoS target.
So how can a perfect target defend itself? Let’s start by looking at the potentially obvious solutions. As I said above, IP bans have limited reliability, since it’s hard to identify where bogus traffic comes from. Plus, hackers have a ton of tools to dodge bans, including the ability to trick other, innocent servers into doing the attacks for them (it’s the digital equivalent of signing the victim up to a bunch of crappy mailing lists).
At a certain point, Microsoft could, theoretically, try to meet force with force. A glut of new servers could absorb some of the malicious requests and still maintain some service for regular users. However, those new servers aren’t free and using this solution is impractical for an attack that could last only a few hours–especially since there’s always a chance that the attack could be so severe that the service remains unusable despite the added processing power. The HTTP packets don’t even need to hit home to make the service so slow and unreliable that people can’t use it since bandwidth lies at the ISP level, not the corporate server level. Why spend gobs of money to potentially, maybe, alleviate a problem for only some users, and for only a few days?
Until now I’ve assumed that the New World Hackers actually hit Microsoft’s servers with a DDoS attack, but we could also take Microsoft at their word when they say “we have seen no indication of an attack.” As I mentioned, DoS attacks don’t need to directly hit their targets to ruin customers’ experiences. One form of DDoS attack, a link flooding attack, aims to send packets through a group of high traffic routers in the vicinity of the targeted service, and not at the service itself. In this attack, the hackers direct their botnet to send packets in such a way that they are routed through key routers in the core of the internet that their targeted service also relies on. By sending a high volume of seemingly ordinary traffic through a few key links in the backbone of the internet, hackers can slow to a crawl most of the traffic that would be flowing to their targeted service. In this case, the attack is occurring entirely within the realm of an ISP’s routers, so the targeted company can’t really do anything to mitigate it. Why fight someone if you can starve them?
The insidious thing about most DoS attacks is that they don’t do anything particularly fancy. They create the highest traffic day your site has ever seen and they do so with no warning. DoS attacks follow the standard channels of the internet in the standard ways, but they just do it at a destructive volume. Companies in the crosshairs of such attacks are at a huge disadvantage since the cost of launching an attack is trivial and the cost of defending against one is huge. This imbalance is accentuated by the fact that corporations need to defend against things like mass credit card theft or system infiltration that have a much higher impact. Microsoft needs to pick it’s security battles and the DDoS fight is both harder and a much lower priority than other types of attacks.
Ultimately, DDoS attacks on a service like Xbox Live are a display of power (some hackers sell their DDoS capability like a super villain in a Bond movie) or a passing vendetta, and waiting them out is often the only option. The variety of attacks and the ease with which they can be performed is a problem for every company operating on the internet. Unless the New World Hackers found some novel gap in Microsoft’s defenses, they likely didn’t expose any security hole in Microsoft’s servers: A DDoS attack doesn’t prove that a company’s servers are especially insecure, it only proves that (like the human body) all systems have weak points that knowledgeable attackers can exploit.
Gino Grieco is a freelance writer, computer programmer, and Giant Bomb moderator. He’s the guy who writes all of those Final Fantasy and Magic the Gathering blogs. He co-hosts the “Deep Listens” podcast which can be found here. You can find him on Twitch, Youtube, Twitter, and some site called Giant Bomb dot com under username ThatPinguino.