Naked Security Naked Security

Ubisoft sues DDoS-for-hire operators for ruining game play

The network of sites and services run by the alleged operators target the Rainbow Six Siege game, selling attacks to cheating players.

Mega-big online gaming company Ubisoft, maker of mega-hit games including Assassin’s Creed, Far Cry, Just Dance and Tom Clancy’s RainbowSix: Siege (R6S), is suing four operators of the DDoS-for-hire sites that have been launched against its RainbowSix servers.
These guys aren’t just launching attacks that kick all players on a targeted server out of a game, or degrade the game performance down to sludge, Ubisoft alleges. They also allegedly went so far as to throw up a bogus domain seizure notice on one of their sites, claiming that the domain had been seized by “Microsoft Inc. and Ubisoft Entertainment” pursuant to a fictional “Operation(D)DoS OFF”, according to the complaint (posted courtesy of Polygon) that Ubisoft filed on Thursday in the US District Court of Northern California.
Ubisoft says it was part of the operators’ attempts to rub out their tracks:

Defendants are well aware of the harm that the DDoS Services and DDoS Attacks cause to Ubisoft. Indeed, knowing that this lawsuit was imminent, Defendants have hastily sought to conceal evidence concerning their involvement.

It’s not just alleged DDoS-for-hire operators who knew this lawsuit was coming. Everybody in the gaming world knew. Ubisoft picked up on an increase in DDoS attacks in September 2019, banned the worst offenders, and said that it was talking to its legal team about legal action.
Last week, Ubisoft filed the complaint against five people whom it thinks run a network of four distributed denial of service- (DDoS)-for-hire services via various domain names and websites – the websites SNG.one, R6S.support, r6ddos.com, and (could they possibly be more redundant?) stressed-stresser-stressing-stressers.com – and that they hide behind various anonymous online aliases to do so.
The defendants: Dennis Kruk (based in Germany), Maximilian Kuehl (Germany), Kelvin Uttih (Nigeria), an individual identified as B.R. (the Netherlands), and an individual identified only by their email address: apple.id12343@gmail.com.

Booter who, now?

Stressers – also known as booters or DDoS-for-hire – are publicly available, web-based services that launch server-clogger-upper attacks for a small fee or, sometimes, none at all.
As befits the “stresser this” and “stresser that” brand names for a lot of these services – besides the stresser-stressy-stress-o-matic name mentioned in the complaint, such services have included ExoStresser, QuezStresser, Betabooter, Databooter, Instabooter, Polystress, and Zstress – DDoS-for-hire sites sell high-bandwidth internet attack services, sometimes under the guise of “stress testing.” SNG.ONE does the same: its site describes it as a “penetration testing service.”
DDoS attacks are blunt instruments that work by overwhelming targeted sites with so much traffic that nobody can reach them. They can be used to render competitor or enemy websites temporarily inoperable out of malice, lulz or profit: as in, some attackers extort site owners into paying for attacks to stop.
One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service. LizardStresser was given a dose of its own medicine when it was hacked in 2015.
You might remember Lizard Squad as the Grinch who ruined gamers’ Christmas with a DDoS against the servers that power PlayStation and Xbox consoles – an attack it carried out for our own good.
For our own good, as in, the attackers didn’t feel bad: some kids would just have to spend time with their families instead of playing games, one of them said at the time.
These services, in other words, are used a lot in the online gaming world. Booter-based DDoS attack tools offer a low barrier to entry for users looking to engage in cybercrime. Indeed, hiring a service to paralyze your enemies’, your competition’s and/or your targets’ sites makes it as easy as simply handing over the money, no technical skill required… nor much money.

Chump change for cheaters

In April 2018, when the world’s largest DoS site – Webstresser.org – got busted, we got a look at the paltry sums the crooks were being charged for unleashing mayhem. According to Webstresser’s pricing table, archived before the site was taken down, memberships $18.99/month for the “bronze” level, and $49.99/month for a “platinum” service.
According to Ubisoft’s suit, the defendants sell subscriptions for up to $299.85 for “lifetime” access to a server that dishes out DDoS attacks. The subscription tiers include Starter, Advanced and “Full Time B00ter.” Monthly pricing starts at 10 Euros (about USD $11.11) and goes on up to 270 Euros (about USD $299.85) for “lifetime” access.
Besides R6S, the complaint included a screenshot that also showed Fortnite, FIFA 20, and Call of Duty: Modern Warfare 4 as potential targets.
There are a whole lot of DDoS-for-hire services out there, but the ones named in the complaint are specifically aimed at Ubisoft games. The operators of the services not only named their offerings using Rainbow Six Siege references; they’ve also “gone out of their way” to taunt Ubisoft support, the complaint notes.
For example, the complaint included a screenshot of a tweet that mocked Ubisoft’s security efforts, including the company’s efforts to ban users of the DDoS services.

But why?

As Polygon reports, DDoS attacks are the tools of cheaters.

Cheating players use the attacks to create lag, slow the matches down and frustrate legitimate players into quitting. Ordinarily, quitting a match earns a penalty and gives the remaining player ranked points without having to do anything.

Ubisoft asked the court to shut down the alleged cheaters’ websites and to award damages and fees.
SNG.ONE hasn’t responded to media inquiries.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Leave a Reply

Your email address will not be published. Required fields are marked *