I outran a ferocious dog once. The memory is still very fresh for me, despite the fact that it happened 30 years ago. What should be most impressive about this story is that I ran up fourteen flights of stairs, without stopping. I don't think I've ever accomplished this level of physical excellence ever again. I wonder what would have happened if I had been exposed to Gamma rays just as the chase began. We'll never know.
The afternoon started like any other; I walked from school to the local variety store to look at the latest GI Joe figures, and then I walked the several blocks to my apartment building. Without a warning or provocation, a dog that looked part boxer, part pitbull, part lion and part dragon came running at me full speed, barking loudly. Maybe someone let the dog loose as a way to make for a fun afternoon, and maybe I could have laughed it off, but my spider senses were tingling (to mix super metaphors).
I took off running to the closest exit I could find, which was the staircase. It's worth noting that I'm not a runner. I'd rather sneak away or face a threat than run, but this time my body took over. I'll never know where I left the dog behind, but by the time I made it up to the 14th floor, and into my apartment, my heart was trying to drum its way out of my chest.
We humans are impressive. We can react quickly under the wildest circumstances. It's for this reason that we sometimes convince ourselves not to plan. "I've got the IT reflexes of a puma!" you tell yourself. "I don't need to sit here worried about DDoS attacks, because I'll catch them mid-flight like karate masters catch house flies!" For a large chunk of gaming companies, this seems to be the mindset. According to our recent game developer survey, 34% of respondents indicated that they "handle security threats as they come up".
I may never know who let the dog out, no matter how many times we ask. Sadly, as much as rare moments of superheroism find their ways into all our lives, this isn't something we can rely on consistently. And your players deserve better. Good game security isn't about lightning fast reflexes; it's about the slow boring, thoughtful work of developing a plan and having a carefully considered defense posture.
I understand why some companies can be so slow to establish well thought out and proactive security postures. Security isn't something many companies feel comfortable talking about, which means it can be difficult to gain insight from other experts in the space. Games publishers can be tight lipped, with good reason, about the attacks they've experienced, and their mitigation strategies. It means the industry stays in the dark. It also means it's on you to seek out the information.
There's a broad impression that DDoS attacks are old news, and have been contained. Certainly, there are a lot of us working aggressively against attackers, but recent events highlight that DDoS attacks are actually constantly on the rise, and gaining in sophistication. Attacks are lasting longer, and getting bigger.
Some companies insist that their game type or audience isn't likely to be attacked. Maybe it's because your game is family-friendly, or fits into a niche category. "Our brand is too happy to be attacked", you might say. But the fact is that everyone is a potential target. Attacks follow the money,
I'm not trying to scare you. There's plenty you can do to prepare for attacks, and to defend your players and servers. It's important that you have the uncomfortable conversations with your team about your security plan, and that you evaluate all the possible attack vectors. Is your authentication server safe? Does your game make lots of calls to the server, creating a rich attack vector? Is your matchmaking server protected? Start thinking about this now, and you'll be ahead of a third of the industry.
Dig deeper: Learn more about the challenges gaming companies are facing-check out the results of our recent game developer survey.