eSports Has a DDoS Problem

Earlier this week, on-stage commentators at the 2015 International Dota 2 Championships, one of the biggest eSports events in the world, told the crowd of 10,000 people at Seattle's Key Arena and around 200,000 concurrent viewers at home that they had to pause the show because of a denial of service (DDoS) attack.

A DDoS attack is when multiple computers, or "botnets," often from around the world, send an overwhelming amount of traffic to a specific user, thereby denying that person or machine access to the internet.

Dota 2 developer Valve, which put the show on the with the help of a company hired specifically to defend against this type of disruption, was able to resume after an hour of hosts filling dead air, but the attack highlights an important, ongoing issue for eSports: It's easy and potentially profitable to manipulate the results of official, high-level competitions with DDoS attacks.

It's already happening. While the attack and outage at The International received mainstream media attention, other, less visible but still important eSports matches were being attacked as well.

One victim of DDoS attacks this week is the League of Legends team for Denial eSports. On August 4, Denial was playing against team Dignitas in the European Challenger Series. The winner of that game would have to play another team, and if it won that match, it would get a free spot at the League of Legends Champion Series (LCS), developer Riot's prestigious and lucrative tournament.

Denial was winning the match when the attack happened.

"One of our players [Thomas "Kirei" Yuen] got DDoS'd, so he quickly changed his PC," Mike "Wickd" Petersen, who plays the "top" position for Denial's League of Legends team, told Motherboard. "He went to his sister's house, tried it there, still didn't work, rushed to a different location, still didn't work. He went from house to house and he got DDoS'd at all three places."

Unfortunately, Riot's Official Challenger Series 2015 Rule Guide states in section 7.5.5 that if a team can't field all five of its players it must forfeit the match, and section 7.5.4 only gives them a maximum of 10 minutes to pause and resolve any issues.

The rules for the most popular eSports game by far have created conditions where, if you have the ability to knock one member of either team offline for more than 10 minutes, you have the power to determine the outcome of the match regardless of skill and sportsmanship.

This is not a difficult thing to do.

If you're not heavily into eSports, you probably only know about them from their biggest events, which are covered on EPSN and other big media outlets. When you think of eSports, you're probably imagining giant arenas filled with thousands of fans, all cheering for teams who are playing on computers that have been set up on the main stage.

What you might not have known is that many of the matches that determine which teams get to the main stage are played from homes across the world. The game between Diginitas and Denial, which would give one team the opportunity to go to LCS, was such a game, with each team member connecting to an online server from his private home.

If even Valve isn't immune to DDoS attacks, individuals are easy targets by comparison.

John Graham-Cumming, a programmer at CloudFlare, a company that specializes in preventing DDoS attacks, said it was so easy to knock one person offline, he offered do it to me while we spoke. I politely declined, but his point stands.

"There are services on the web where you can attack people for money," Graham-Cumming said. "They're called booter services and they're specifically designed to boot people off whatever they're doing. They grew out of booting people off of chat and out of games. It's exactly this sort of thing we're talking about."

All you need to boot someone offline with one of these services is their IP address. If that person has a Skype client or a TeamSpeak client on that computer, which eSports teams use to communicate by voice, you can easily find their IP address with Skype or TeamSpeak "resolvers."

"Then you go to a booter service, fill out a credit card number, and pay a small amount of dollars," Graham-Cumming said. "Their home internet connection can't deal with the traffic or their ISP says there's an unrealistic amount of traffic hitting this IP, and bam, you're knocked offline."

These services are so accessible and complimentary, when I searched for Skype resolvers I was immediately bombarded with ads for booter services, which offer to keep an IP address of my choosing offline for any amount of time if I was willing to pay a dollar a minute, or less.

Petersen said that DDoS attacks have been a common problem in eSports for the last three or four years. Some teams, like the Turkish team Zone, have had an especially bad experience.

In a post to Facebook, the team's head coach Adrian "hatchý" Widera said that Zone was DDoS'd so often, that it came prepared for its match against team FMF on August 4.

Following Riot's own DDoS prevention guide, it stopped using Skype, TeamSpeak, changed its IP address, deleted all unnecessary software from its computers, and gathered in the same location so team members could communicate by voice.

Still, somehow Zone got attacked anyway. "Our team got DDoS'd," Widera told Motherboard. "We couldn't do anything about it."

According to Widera, the DDoS attack didn't knock them offline initially, but slowed them down to the point where they weren't able to pick their desired Champions (the characters players control in the game), putting it at a severe disadvantage.

Widera concludes that the only way anyone would be able to get their players' IP addresses would be directly through Riot's tournament client, the software used for competitive League of Legends play, which would suggest that there's no way to stop attackers from DDoSing official matches. Riot didn't respond to request to comment on this story, so we can't be certain, but Graham-Cumming said it's not out of the question that Riot's software can expose IP addresses.

"We ended up with 0-2 score against the weakest team in the Challenger Series without being able to play it out in a fair play fashion," Widera said. "The team we played against offered a rematch in the sake of fair play, but Riot refused to accept this kind of deal."

When he last spoke to Motherboard, Widera said that he was still in contact with Riot about a possible solution, but his most recent update to Facebook states that Riot "made the worst decision possible" on the matter.

"Riot just says these are the rules and you have to follow," Petersen said. "Basically they look at the rules as black and white. I think some people do it [DDoS] because they favor a specific team, and other people will do it just because they think it's fun or they want to disrupt the tournament."

As previously reported on Motherboard, a growing part of eSports' popularity is the ability to bet on matches. Earlier this year we saw the launch of eSports betting site Unikrn, which already raised $7 million in Series A funding from well known investors including Mark Cuban.

It currently allows eSports fans in the UK, Ireland, and Australia (the site is not legal in the United States) to place bets as high as $250 on eSports matches.

We have no way of knowing if someone already used a DDoS attack and placed a bet through one of these sites for a profitable outcome, though eSports betting sites were manipulated in other ways in the past. What we can say for sure is that it's possible, and not that difficult.

The fact of the matter is that people are already betting on matches that were unfairly determined because of a DDoS attack, like the one between Dignitas and Denial.

The image above shows that out of all the Unikrn users that placed bets on the match between Dignitas and Denial, only 8 percent had Dignitas, which won due to a DDoS attack, as a favorite.

It's tempting to interpret this as condemning evidence, but it doesn't prove anything. Someone could have just gotten lucky.

Unikrn doesn't reveal any numbers about its users—how many it has, how much money it makes, and so on—so we also have no way of knowing how much action this one particular game saw.

Unikrn's director of eSports and in-house counsel Bryce Blum told Motherboard that the site reserves the right to invalidate bets in case major issues arise, but that it has yet to do so.

Blum is fully aware of the DDoSing issue, but he's also confident in Unikrn's ability to detect suspicious bets.

"When match fixing scandals have happened in the past or other examples of abusing betting sites, it's usually been through several accounts placing max bets, which is incredibly difficult to do on our site because we have partnered with TabCorp, which one of the largest, publicly trading wagering firms in the world," Blum said.

Blum added that if a bet seems suspicious when compared to historical data, how popular the teams are, and the stakes for the match, Unikrn's algorithms will flag it as suspicious, but that hasn't happened yet.

"People are going to bet on matches no matter what you do," Blum said. "It's illegal in the US and still people bet on sports in the US to the tune of billions of dollars, the vast majority of which is illegal. The reality is that it's going to happen whether you like it or not, and the same is true for eSports. It's paramount to the existence of our business for us to do everything we can to protect competitive integrity, because if not, who's going to trust our site?"

Finally, it's important to note that Unikrn has good reasons not to share too much information about what companies it's working with and what strategies it's using to handle the DDoSing issue.

"The way you beat DDoSing is being one step ahead of the people who would perpetrate an attack like this," Blum said. "I'm inherently hamstrung in how much details I can go into because it would defeat the purpose to tip off the people who would do something like this."

As Graham-Cumming notes, even companies like CloudFlare struggle to prevent DDoS attacks, so as long as matches are being played online, they're going to be vulnerable.

"I think Riot should have all important games played offline, no matter what," Petersen said. "Even for sponsors, it's very unstable. Imagine a sponsor paid a shit ton for a team because they thought they were really good and had really good chances, and then the team lost the spot just because it's getting DDoS'd."

When Riot hosts its own events, players compete via LAN, a direct, wired, offline network. Doing the same for all events and qualifying matches would be a challenge.

"Riot doesn't want to pay for it, that's the only reasonable explanation," Petersen said. "They don't want to fly the players out to play in the same location."

DDoS attacks are yet another growing pain for eSports, which had 89 million viewers in 2014, and is expected to reach 145 million viewers by 2017. According to games market research firm Newzoo, that amounts to a $1 billion business. As viewership and attention for competitive games like League of Legends, Dota 2, and Counter-Strike: Global Offensive grows, DDoS attacks will become a bigger issue.

As is the case with the cheating, match-fixing, injuries, and doping issues in eSports (we're seeing some progress with the latter), the major stakeholders in this booming business are going to have to confront these problems in a more serious manner soon, or risk jeopardizing the integrity of eSports as a whole.