Minecraft, with over 500 million registered users and 166 million monthly players, faces significant risks from distributed denial-of-service (DDoS) attacks, threatening server functionality, player experience, and the game’s reputation. Despite the prevalence of DDoS attacks on the game, the majority of incidents go unreported, leaving a gap in awareness and protection. This article explains what happens to a Minecraft server during a DDoS attack and how to protect against such attacks. For an in-depth version of the article, check out this white paper.

When Creepers Breach: What Happens When an Attack Is Successful

When a Minecraft server is hit with a DDoS attack, players may have problems with logging in to servers, loading worlds, navigating biomes, using tools, and chatting. They can also experience general lags, disconnections, timeouts, or server crashes. These in-game disruptions can ruin the gaming experience for players while causing financial and reputational losses to server owners, operators, and the wider Minecraft community.

What Happens to a Minecraft Server During a DDoS Attack?

In a DDoS attack, the attacker’s objective is to disrupt a Minecraft server, rendering it unstable or unavailable to legitimate users, by flooding it with malicious traffic until it becomes overwhelmed. DDoS attacks on Minecraft servers can last anywhere from a few seconds to days, depending on their severity and the countermeasures in place.

Severe attacks can cost players prize money in tournaments, diminish players’ confidence in the server, cause server crashes, or even force servers to be upgraded for better redundancy and resilience against future attacks.

Evidence of an Attack

This checklist serves as a handy reference guide when facing suspicious network activities that resemble DDoS attacks.

If several of these signs converge at any given time for your Minecraft server, there’s a high probability that a DDoS attack is underway and requires immediate remediation.

If you’re not sure whether an attack is occurring, contact your ISP or host. They should be able to verify whether it’s a DDoS attack or not. In some cases, these signs could be symptoms of other cyberattacks or unrelated network issues, and will thus yield false positive results.

Impact on Minecraft Servers and the Minecraft Community

DDoS attacks significantly affect Minecraft servers, players, server owners, and the entire community. Disruption of gameplay isn’t the only concern. An attack leading to a player missing out on significant tournament earnings, has, in extreme cases, resulted in tragic outcomes with profound emotional impacts, rippling through the community and reaching friends and family. This emphasizes the need for robust protection and awareness.

DDoS attacks on Minecraft servers can have numerous impacts:

• Poor gaming experience: DDoS attacks cause latency, lag, or disconnections, making Minecraft unplayable and negatively impacting the user experience.
• Gameplay imbalance: Rival players might exploit unresponsive servers during a DDoS attack to unfairly gain an advantage for themselves over players on the targeted servers.
• Server downtime: Crucial for online games, server downtime from intense DDoS attacks makes Minecraft servers unavailable, frustrating players who invest time, effort, energy, and passion in building, exploring, and interacting within the Minecraft environment.
• Financial losses: DDoS attacks lead to potential revenue loss for server owners relying on donations, premium memberships, or in-game purchases. Attackers may demand a fee to scale back the attack, but complying with ransom demands invites future attacks.
• Extra expenses: Yo-yo DDoS attacks create traffic fluctuations, increasing overhead costs for cloud-hosted servers.
• Identity theft: DDoS may be a smokescreen for hacking and identity theft, increasing vulnerability during server unavailability.
• Server ban for innocent parties: Persistent DDoS attacks on shared hosting plans can result in temporary bans for Minecraft servers, impacting both server members and server owners who depend on member revenues for financial support.
• Reputational damage: Persistent DDoS attacks damage the reputation of a Minecraft server, leading to a decline in the server’s popularity and user base.
• Community fallout: Persistent DDoS attacks can result in the breakup of Minecraft servers, fracturing social interactions and prompting players to leave.
• Switching costs: Gamers face tangible and intangible costs when moving to a new server, including the loss of in-game purchases and achievements, subscriptions, and relationships.

Examples of Recent Attacks

Most Minecraft server DDoS attacks never make it to the news. A lot of small-scale attacks hit personal or private servers for the reasons discussed above. However, larger-scale DDoS attacks are more likely to create press because of their value as a marketing strategy for DDoS protection providers or because of the real-life consequences that result from the attack.

The largest ever Minecraft DDoS attack targeted the popular Wynncraft Minecraft server in 2022. A Mirai botnet variant launched a two-minute long 2.5 Tbps attack using UDP and TCP flood packets to attack the server, aiming to disrupt gameplay for hundreds of thousands of players.

Massive attacks on this scale—and the many more attacks on private and smaller servers that attract less attention—highlight the need to be wary of Minecraft DDoS attacks. It is therefore essential for server owners, admins, engineers, and hosting providers to protect their servers and the users who rely on them. Let’s explore some methods for DDoS mitigation.

Obsidian Walls: How to Protect Minecraft Servers Against DDoS Attacks

Basic Protective Measures

To defend your Minecraft server against DDoS attacks, begin with basic security measures:

• Install antivirus software to block malware that could enlist your server into a botnet.
• Use a VPN to obscure your server’s IP address.
• Secure your SSH connection by modifying the SSH port number or switching to key-generated SSH security using PuTTY.
• Implement allowlists or whitelists to permit access only to verified players, and use blacklists to block malicious IPs or players.
• Get a firewall, especially for self-hosted servers.
• Incorporate rate limiting on network devices to manage traffic flow.
• Keep your Minecraft server software and plugins up-to-date to patch vulnerabilities.

It’s important to stay current on the latest DDoS tactics, signs, and countermeasures, and ensure server moderators are also well-informed. Building a strong, supportive community, and promoting a positive gaming environment by vetting new members and monitoring forum chats for threats, can deter peer-to-peer DDoS attacks. In cases of serious threats, don’t hesitate to involve law enforcement or seek legal assistance.

Advanced Protective Measures

The above protective measures are baseline cybersecurity solutions; for comprehensive defense against DDoS attacks, a specialized approach like Gcore DDoS Protection is required. We offer real-time, all-in-one protection against DDoS attacks of any size, duration, or complexity, ensuring uninterrupted gaming. Built by gamers, for gamers, Gcore DDoS Protection provides tailored defense mechanisms, ultra-low false positive rate, and dedicated technical support, ensuring your Minecraft server remains protected every time, everywhere, in every situation.

By analyzing traffic and customizing protection strategies, we safeguard your server across all Minecraft versions and plugins. Our powerful infrastructure is capable of handling massive DDoS traffic spikes with a 110 Tbps capacity CDN. We block attacks from the very first query without compromising legitimate traffic, based on session rather than solely relying on IP addresses.

Diamond Defense: Proven Gaming Protection

Prevention is better than a cure. The gaming industry is one of the top three most attacked industries according to Gcore Radar and the FBI, and the average gaming DDoS attack costs victims upwards of $25,000 in losses, without factoring in any ransoms. Even for teams with in-house IT units, an attack may require significant time and labor to effect disaster recovery, and much more time to repair a reputation tarnished by unmitigated DDoS attacks.

Gcore DDoS Protection is a complete, proven service for mitigating DDoS attacks on Minecraft servers. Get a complimentary expert consultation and discover how we can protect your server and save you from the devastating consequences of DDoS attacks. Start with a free trial to experience the power of Gcore DDoS Protection for yourself.

Feb 02, 2024NewsroomCryptojacking / Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.

The agency attributed the campaign to a threat actor it calls UAC-0027.

DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware’s ability to propagate in a worm-like fashion by taking advantage of known security flaws.

The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organizations keep their systems up-to-date, enforce network segmentation, and monitor network traffic for any anomalous activity.

The disclosure comes as Securonix detailed an ongoing phishing campaign known as STEADY#URSA targeting Ukrainian military personnel with the goal of delivering a bespoke PowerShell backdoor dubbed SUBTLE-PAWS.

“The exploitation chain is relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new PowerShell backdoor payload code (found inside another file contained within the same archive),” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.

The attack is said to be related to a threat actor known as Shuckworm, which is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. Active since at least 2013, it’s assessed to be part of Russia’s Federal Security Service (FSB).

SUBTLE-PAWS, in addition to setting up persistence on the host, uses Telegram’s blogging platform called Telegraph to retrieve the command-and-control (C2) information, a technique previously identified as associated with the adversary since early 2023, and can propagate through removable attached drives.

Gamaredon’s ability to spread via USB drives was also documented by Check Point in November 2023, which named the PowerShell-based USB worm LitterDrifter.

“The SUBTLE-PAWS backdoor uses advanced techniques to execute malicious payloads dynamically,” the researchers said.

“They store and retrieve executable PowerShell code from the Windows Registry which can assist in evading traditional file-based detection methods. This approach also aids in maintaining persistence on the infected system, as the malware can initiate itself again after reboots or other interruptions.”

Jan 23, 2024The Hacker NewsCybersecurity / Server Security

As we enter 2024, Gcore has released its latest Gcore Radar report, a twice-annual publication in which the company releases internal analytics to track DDoS attacks. Gcore’s broad, internationally distributed network of scrubbing centers allows them to follow attack trends over time. Read on to learn about DDoS attack trends for Q3–Q4 of 2023, and what they mean for developing a robust protection strategy in 2024.

Gcore’s Key Findings

DDoS attack trends for the second half of 2023 reveal alarming developments in the scale and sophistication of cyberthreats.

Unprecedented Attack Power

The past three years have brought about a >100% annual increase in DDoS peak (registered maximum) attack volume:

• In 2021, the peak capacity of DDoS attacks was 300 Gbps
• In 2022, it increased to 650 Gbps
• In Q1–Q2 of 2023, it increased again to 800 Gbps
• In Q3–Q4 of 2023, it surged to 1600 Gbps (1.6 Tbps)

Notably, the jump in H2 of 2023 means the cybersecurity industry is measuring DDoS attacks in a new unit, Terabits.

Maximum attack power in 2021–2023 in Gbps

This illustrates a significant and ongoing escalation in the potential damage of DDoS attacks, a trend Gcore expects to see continue in 2024.

Attack Duration

Gcore saw attack lengths varying from three minutes to nine hours, with an average of about an hour. Usually, short attacks are harder to detect as they don’t for proper traffic analysis due to data scarcity, and since they’re harder to recognize, they’re also harder to mitigate. Longer attacks require more resources to fight, requiring a powerful mitigation response; otherwise, the risk is prolonged server unavailability.

Gcore’s longest registered attack lasted nine hours

Predominant Attack Types

UDP floods continue to dominate, constituting 62% of DDoS attacks. TCP floods and ICMP attacks also remain popular at 16% and 12% of the total, respectively.

All other DDoS attack types, including SYN, SYN+ACK flood, and RST Flood, accounted for a mere 10% combined. While some attackers may use these more sophisticated approaches, the majority are still focused on delivering sheer packet volume to take down servers.

Dominant attack types in H2 of 2023

The variation in attack methods necessitates a multifaceted defense strategy that can protect against a range of DDoS techniques.

Global Attack Sources

This global spread of attack sources demonstrates the borderless nature of cyber threats, where attackers operate across national boundaries. Gcore identified diverse attack origins in the latter half of 2023, with the US leading at 24%. Indonesia (17%), the Netherlands (12%), Thailand (10%), Colombia (8%), Russia (8%), Ukraine (5%), Mexico (3%), Germany (2%,) and Brazil (2%) make up the top ten, illustrating a widespread global threat.

Geographical attack source spread

The geographic distribution of DDoS attack sources provides important information for creating targeted defense strategies and for shaping international policy-making aimed at combating cybercrime. However, determining the location of the attacker is challenging due to the use of techniques like IP spoofing and the involvement of distributed botnets. This makes it difficult to assess motivations and capabilities, which can vary from state-sponsored actions to individual hackers.

Targeted Industries

The most-targeted industries in H2 of 2023 highlight the impact of DDoS attacks across diverse sectors:

• The gaming industry remains the most affected, enduring 46% of the attacks.
• The financial sector, including banks and gambling services, came in second at 22%.
• Telecommunications (18%,) infrastructure-as-a-service (IaaS) providers (7%,) and computer software companies (3%) were also significantly targeted.

DDoS attacks by affected industry

Since the previous Gcore Radar report, attackers haven’t changed their focus: The gaming and financial sectors are particularly interesting to attackers, likely due to their financial gains and user impact. This underscores a need for targeted cybersecurity strategies in the most-hit industries, like countermeasures for specific gaming servers.

Analysis

The data from the latter half of 2023 highlights a worrying trend in the DDoS attack landscape. The increase in attack power to 1.6 Tbps is particularly alarming, signaling a new level of threat for which organizations must prepare. For comparison, even a “humble” 300 Gbps attack is capable of disabling an unprotected server. Paired with the geographical distribution of attack sources, it’s clear that DDoS threats are a serious and global issue, necessitating international cooperation and intelligence sharing to mitigate potentially devastating attacks effectively.

The range in attack durations suggests that attackers are becoming more strategic, tailoring their approaches to specific targets and objectives:

• In the gaming sector, for example, assaults are relatively low in power and duration but more frequent, causing repeated disruption to a specific server with the goal of disrupting the player experience to force them to switch to a competitor’s server.
• For the financial and telecom sectors, where the economic impact is more immediate, attacks are often higher in volume with length highly variable.

The ongoing targeting of the gaming, financial sectors, telecommunications, and IaaS industries reflects the strategic choice of attackers to pick services whose disruption has a significant economic and operational impact.

Conclusion

The Gcore Radar report for Q3–Q4 of 2023 serves as a timely reminder of the ever-evolving nature of cyberthreats. Organizations across sectors must invest in comprehensive and adaptive cybersecurity measures. Staying ahead of DDoS threats requires a keen understanding of the changing patterns and strategies of cyber attackers.

Gcore DDoS Protection has a proven record of repelling even the most powerful and sustained attacks. Connect Gcore DDoS Protection to protect your business from whatever the 2024 DDoS landscape brings.

Jan 15, 2024NewsroomServer Security / Cyber Attack

The environmental services industry witnessed an “unprecedented surge” in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic.

This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week.

“This surge in cyber attacks coincided with COP 28, which ran from November 30th to December 12th, 2023,” security researchers Omer Yoachimik and Jorge Pacheco said, describing it as a “disturbing trend in the cyber threat landscape.”

The uptick in HTTP attacks targeting environmental services websites is part of a larger trend observed annually over the past few years, specifically during COP 26 and COP 27, as well as other United Nations environment-related resolutions or announcements.

“This recurring pattern underscores the growing intersection between environmental issues and cyber security, a nexus that is increasingly becoming a focal point for attackers in the digital age,” the researchers said.

Despite the environmental services sector becoming a new target in Q4 2023, the cryptocurrency industry continues to be the primary casualty in terms of the volume of HTTP DDoS attack requests.

With more than 330 billion HTTP requests targeting it, the attack traffic represents more than 4% of all HTTP DDoS traffic for the quarter. Gaming and gambling and telecommunications emerged as the second and third most attacked industries.

On the other end of the spectrum are the U.S. and China, acting as the main sources of HTTP DDoS attack traffic. It’s worth noting that the U.S. has been the largest source of HTTP DDoS attacks for five consecutive quarters since Q4 2022.

“Together, China and the U.S. account for a little over a quarter of all HTTP DDoS attack traffic in the world,” the researchers said. “Brazil, Germany, Indonesia, and Argentina account for the next 25%.”

The development comes amid a heavy onslaught of DDoS attacks targeting Palestinian banking, information technology (IT), and internet platforms following the onset of the Israel-Hamas War and Israel’s counteroffensive codenamed Operation Iron Swords.

The percentage of DDoS attack traffic targeting Palestinian websites grew by 1,126% quarter-over-quarter, Cloudflare said, adding DDoS attack traffic targeting Taiwan registered a 3,370% growth amidst the Taiwanese presidential elections and rising tensions with China.

Akamai, which also published its own retrospective on DDoS Trends in 2023, said “DDoS attacks became more frequent, longer, highly sophisticated (with multiple vectors), and focused on horizontal targets (attacking multiple IP destinations in the same attack event).”

The findings also follow a report from Cloudflare about the increasing threat posed by unmanaged or unsecured API endpoints, which could enable threat actors to exfiltrate potentially sensitive information.

“HTTP anomalies — the most frequent threat toward APIs — are common signals of malicious API requests,” the company said. “More than half (51.6%) of traffic errors from API origins comprised ‘429’ error codes: ‘Too Many Requests.'”

Dec 15, 2023NewsroomBlockchain / Internet of Things

A novel multi-platform threat called NKAbuse has been discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel.

“The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities,” Russian cybersecurity company Kaspersky said in a Thursday report.

NKN, which has over 62,000 nodes, is described as a “software overlay network built on top of today’s Internet that enables users to share unused bandwidth and earn token rewards.” It incorporates a blockchain layer on top of the existing TCP/IP stack.

While threat actors are known to take advantage of emerging communication protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to conduct distributed denial-of-service (DDoS) attacks and function as an implant inside compromised systems.

Specifically, it uses the protocol to talk to the bot master and receive/send commands. The malware is implemented in the Go programming language, and evidence points to it being used primarily to single out Linux systems, including IoT devices, in Colombia, Mexico, and Vietnam.

It’s currently not known how widespread the attacks are, but one instance identified by Kaspersky entails the exploitation of a six-year-old critical security flaw in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to breach an unnamed financial company.

Successful exploitation is followed by the delivery of an initial shell script that’s responsible for downloading the implant from a remote server, but not before checking the operating system of the target host. The server hosting the malware houses eight different versions of NKAbuse to support various CPU architectures: i386, arm64, arm, amd64, mips, mipsel, mips64, and mips64el.

Another notable aspect is its lack of a self-propagation mechanism, meaning the malware needs to be delivered to a target by another initial access pathway, such as through the exploitation of security flaws.

“NKAbuse makes use of cron jobs to survive reboots,” Kaspersky said. “To achieve that, it needs to be root. It checks that the current user ID is 0 and, if so, proceeds to parse the current crontab, adding itself for every reboot.”

NKAbuse also incorporates a bevy of backdoor features that allow it to periodically send a heartbeat message to the bot master, which contains information about the system, capture screenshots of the current screen, perform file operations, and run system commands.

“This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host,” Kaspersky said. “Moreover, its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller.”

“We are surprised to see NKN is used in such a way,” Zheng “Bruce” Li, co-founder of NKN, told The Hacker News. “We built NKN to provide true peer-to-peer communication that is secure, private, decentralized, and massively scalable. We are trying to learn more about the report to see if together we can make the internet safe and neutral.”