League of Legends and Battlefield 4 attackers were using rare DDoS method

The recent wave of distributed denial-of-service (DDoS) attacks that took out EA's Origin service, Blizzard's Battle.net, and League of Legends, amongst others, was using a virtually unheard of method to amplify the amount of data being sent in order to grind many popular online games to a halt.

The group, calling itself DERP and its tools the "Gaben Laser Beam," is said to have used the Network Time Protocol (NTP) to carry out its attacks, Arstechnica explains. NTP is used to synchronise computers and other devices to the correct local time, and the group managed to inflate the effectiveness of its DDoS attacks by sending out a barrage of requests to these servers while pretending to be one of these gaming services (such as League of Legends), with the NTP.

It's an effective tactic because the DDoS attacker gets more than a 5800% return on their investment: sending the fake request uses up eight bytes of data for the attacker, but the reply from the NTP server weighs in at 468 bytes of strain for the victim's server.

"Prior to December [2013], an NTP attack was almost unheard of because if there was one it wasn't worth talking about," said Shawn Marck, CEO of DoS-mitigation service Black Lotus.

"It was so tiny it never showed up in the major reports. What we're witnessing is a shift in methodology," Marck added. More information about the NTP attacks, and other forms of DDoS amplification, can be found in the full Arstechnica article.

Meanwhile, Motty Alon, director of security services at data center application and security company Radware, said to GameSpot that he believes DERP must have some kind of incentive other than causing trouble. "As this attack campaign evolved," said Alon, "I’ve changed my opinion several times as to what’s really going on here. In the beginning, I believed that this was just a kid just taking revenge on society. Then, as we entered the second and third days of the campaign, I had a different take."

"Taking into consideration the damage that DERP is creating and the length of these attacks, this person (or group) is spending quite a lot of time to keep up with these attacks, and regardless of the hurdles, must they have a hidden incentive."

When asked if online games could expect to see more DDoS attacks from disgruntled individuals and groups in the future, Alon said that these kinds of online attacks have only become more common over the past few years.

"Since the beginning of 2010, we saw an increased trend of DDoS attacks happening to the extent that they are now about 30 percent of all cyber attacks," he said. "We see this trend growing, and we believe that this trend will continue as DDoS attacks very easily become a tool used by protestors."

At time of writing, DERP's last message on Twitter was posted on January 7 and read "goodbye for now."