Another Attack, Another Clean Sweep
A multi-vector attack hit us in late January. Different technique, same result — zero downtime.
A multi-vector attack hit us in late January. Different technique, same result — zero downtime.
We wrote about the November attack a few months ago. In late January we got hit again — this time with a different approach. Where the November event was a straightforward volumetric flood, the January attack was multi-vector: a combination of SYN flood, HTTP request flood against our web infrastructure, and a lower-bandwidth but high packet-rate UDP attack running simultaneously.
Multi-vector attacks are harder to mitigate because each component requires a different response. You can't just apply one rule and be done with it. The attacker is betting that while you're dealing with one vector, another slips through.
The attack started at 19:12 UTC on January 28th. Our automated detection flagged anomalous SYN rates within about 45 seconds, and the mitigation pipeline engaged. The HTTP flood component was caught by our rate limiting layer about two minutes in when request rates from certain IP ranges exceeded normal thresholds by several orders of magnitude. The UDP component was the most straightforward to handle — it matched known attack signatures and was being dropped at the upstream level almost immediately.
The HTTP flood was specifically targeting our status page and billing subdomain rather than the game server IPs. That's a more targeted approach than we usually see — it suggests whoever was behind it had done some reconnaissance on our infrastructure layout. The intent was probably to take down the customer-facing web properties even if the game servers themselves stayed up, which would at least create the impression of an outage.
The rate limiting rules on our web infrastructure held. The status page stayed up throughout, which meant customers could see at any point that all systems were operational. That transparency matters — even if we hadn't caught it perfectly, customers would have been able to see what was happening in real time.
Multi-vector attacks are becoming more common. They require layered defences rather than a single mitigation strategy. We're continuing to invest in that layering — more on specific infrastructure changes coming in a future post.