Mad salt. Imagine a fully grown man having a toddler tantrum. "If I can't play/win/get my way, nobody can" type mentality. It's also a method of coercion. Give me mod status or I'll DDOS your server and destroy your community.

The other half comes from sever operators ddosing their competition. There is a lot of money to be made from paid cosmetics, ranks, moderator (demi-tyrant) status, etc on custom servers.

It depends on the game, but for those with some kind of marketplace or transferable currency, I'm guessing market manipulation is one possible reason.

For other games, maybe trying to interrupt some time limited event or tournament. Going all the way down the rabbit hole, if you're not already familiar take a look at how crazy things get in a game like EVE: Online.

Then of course there are the bored trolls and/or people who feel wronged by the game's developers or other players.

> What's the benefit of taking down an online game for a couple of hours.

Competitive MMO. Imagine some event is setup to start at some time and your guild or alliance knows they're gonna lose it and the resource it gives: DDOS the server so it's down during the event so it does not run. Enjoy the fact you kept the asset linked to said event and sell the resources you get for real money.

If you've never played those kind of games you cannot fathom how cutthroat they can become. I'm part of a guild which has a specific intelligence branch with spies embedded in many other guilds and that's playing nice because we're not selling anything.

Probably it has to do with all the gambling sites associated with gaming not the games itself.

Taking a competitor offline for a few hours is a lot of money in a market business I expect.

there seems to be lot of weird stuff going on with gaming casinos the recent CoffeeZilla episode comes to mind, so wouldn’t be surprised if botnets are used

They get banned for trolling, griefing, cheating, breaking rules etc. and want revenge. Every game operator has to deal with idiots like this

the ddos market has been somewhat centered around gaming for a while now, mainly to take down game server competition, or as an attempt to sell big players on "ddos protection" services.

well, gaming and Krebs's blog: https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with...

I'm surprised no one has mentioned duping. Selling items and currency for real world money is big bucks and IME, server crashes reliably enable duping exploits.

Not saying that's the case in this particular incident though.

> So why? Like why would someone pay to take a game down?

esports gambling and winning tournaments is big business.

> During the Fortnite Championship Series finals, a pair of pro players may have utilized denial of service attacks to disadvantage contesters [1]

[1] https://fortnitetracker.com/article/1087/ddos-scandal-from-c...

The results are very public, it's the same way IRC is often targeted. They're easy targets, thousands of users are affected and the results are immediately noticeable.

A game I work with got hit by ~10Tbps earlier this year. It's likely because someone got mad they were banned.

A satisfying theory for a lot of DDoS would be extortion or protection rackets. Pay up or we will DDoS you, or pay up or 'someone else' will DDoS you.

That's enough to explain it. But if you wanted to go more full shadowy conspiracy theory, someone arranged for a protection service that just so happens to work by giving some entity cleartext surveillance over much of the internet. Perhaps as a response to HTTPS everywhere being annoying.

I'm not suggesting that's the situation, but that it's the kind of possibility to keep in mind, intellectually, and it would be consistent with history.

> So why? Like why would someone pay to take a game down? I see this all over reddit with different games but I just don't get the point. What's the benefit of taking down an online game for a couple of hours.

Most of the time crime groups are running extortion campaigns, amplification campaigns, etc. For example, if a competitor can benefit from them being down you may be able to sell that. Eventually we will probably see the invention of crowd-funded randsomware, where everyone must submit one verification can of crypto to unlock the hacked game servers.

Extortion. You got a nice little game server there. Would be a shame if anything happened to it.

What is even more interesting why attack Azure? It's not possible to extort anything from Microsoft, so what's the rationale?

You have a Minecraft server. You generate money from it (selling VIP packages, et cetera). You could generate more money if you had more players. You can have more players if you consistently DDoS other more popular servers; the experience for these players will be horrible and they might give your server a chance.

It may be for market manipulation. It may be extortion against the owning company. It may even be to take down a rival online game for a while.

I don't expect the big publisher games like PUBG to attack each other with DDoS attacks, but casino games? Or even sleazy Minecraft servers? I can totally see it.

Uh I used to get DDoSed by “booter” services whenever I would login to one of my Skype accounts. The script kiddie scene is that petty. In the private server scene one guy would DDoS competing servers that way everyone would funnel to his own.

Its just toxic behavior.

Speculation online as to the why in this case, it's pure advertisement of their capabilities.

Most of the time its just blackmail/extortion - pay us or we do the thing.

> So why? Like why would someone pay to take a game down?

esports gambling is big business

I've always imagined somebody will get pissed-off at me one day for banning them for bad behavior, or because I said something wrong online.

Gamers, am I right?

competitors might want to drive users to move away if they think a platform is broken

Depends on How much does it cost to hire it

You are questioning the human nature.

Why, OpenWRT firmware and packages are both signed, of course. You can manually and independently check the image signature before flashing an update.

The build infrastructure is, of course, a juicy target: infect the artifact after building but before signing, and pwn millions of boxes before this is detected.

This is why bit-perfect reproducible builds are so important. OpenWRT in particular have that: https://openwrt.org/docs/guide-developer/security#reproducib...

I don't follow.

> run an army of security people

Do you think these private companies do this? They don't. They pay as little as humanly possible to cover their ass.

Botnets comprised of compromised routers is common and commercial/consumer routers are a far juicer target than openwrt.

This is exactly why OpenWRT has no unattended updates by default )

The post is nothing more than "but what about security" meant to deflect away from the discussion at hand and towards OpenWRT

As always, hundreds watch the open repositories, maybe one watches a company's build servers, if they're lucky. :-)

I recently had some issues getting one of our embeded devices connect through passive ftp. Because the exact same device worked at a different site I knew it wasn't the device or it's settings. Long story short, it turned out the problematic site hadn't been updating its routers which meant they couldn't VPN passive FTP traffic. Anyway, we have literal thousands of those routers maintained by hundreds of different companies, who are mainly there to maintain the actual mechanical equipment and not the network. Turned out the site where the technicians updated things weren't in the majority.

I'm in the process of getting the business to implement better security, and it's going better than you might expect. If it wasn't because having a plan for how to update your OT security is required to meet EU compliance, however, I doubt we would've done anything beyond making sure we could do passive FTP when it was needed.

As an example, there is still no plans to deal with the OT which we know has build in hardware backdoors from the manufactures. Wnich is around 70% of our dataloggers, but the EU has no compliance rules on that...

Digital signing wouldn't defend you from a compromised build server.

This already happens in the Netherlands, your router will be put in quarantine mode and you have to prove that the "virus" is gone

This happened to me, at the time I thought it was strange but seeing this event happen it makes a lot more sense now

The economic costs of that fall on the (residential) ISPs and they aren't really incurring very much cost in additional bandwidth from the outgoing attacks. In most cases it will be 0. It's not 'good', as it could affect quality to a certain extent for other subscribers and it's theoretically possible it could result in a slightly higher transit bill, but ultimately it's just not really a problem for them.

Setting up the infrastructure to email customers and tell them they've got an infected device is just going to cause the subscriber to: A) Call customer support and tie up an agent who can't really tell them much - you're also going to have to train all your CS agents on these letters and what they mean. B) Complain on faceybook/Churn off your network. or C) They'll ignore it

About one in a million will fix the issue themselves.

Some of these devices are controlled by the ISP. The TMobile 5G routers for example are pretty much black box devices controlled by TMobile. The home owner can't fix the device and has very limited access (via a mobile app) to 'manage' the device.

This has always been the elephant in the room. imho, US intelligence don't want this so congress won't do it. Intelligence controls or buys these botnets when they need them, so regulation here is always impossible to push, but in other countries is more common.

Hmm is there a haveibeenpwned for IP addresses found in botnets? Perhaps correlated at the time of known incidents.

I would like to know if I'm serving a rogue machine and not been paying attention.

That industry group would need to include the big cloud providers, and they also doesn't want to shut of abusive traffic.

Because then the ISPs have to provide support on how to secure those devices.

I am surprised no one has mentioned that today is Microsoft's conference keynote.

Yup, many links I have tried to access without success. Well, sucks to have such a centralized Internet.

Most of the compromised devices are routers or IoT devices, functionally no compute power to do anything interesting except spam IPs with requests.

You could easily get better performance with a pair of well-optimized high-density cabinets, much more reliable and not even that expensive to operate legitimately.

I don't doubt there will have been sporadic examples of this, but what points to this "often" being the case? It seems like a tactic that wouldn't often pay off, since DDoS mitigation rarely involves relaxing security systems

Mistakes can be made during reconfigurations but you'd have to catch those while the issue is still live. Sounds like an advanced threat actor and not the run of the mill ransomware people (not that they're necessarily unsophisticated, but why'd they bother with these odds when there's low-hanging fruit to reliably exploit)

It was interesting to read that the record breaking attack caused no glitch whatsoever in the service MS provides. Which is so slow normally that I start to wonder if that is a strategy, having headroom for these kind of situations, no-one realizes slowdown when it is already slow. ;)

This is just a crazy thought, tangential to what are happening during an attack.

The "S" in IoT stands for "security".

> There's gotta be a better way.

Until then... There's gonna be a bigger wave.

I suppose ISPs could be more restrictive about which routers they allow their customers to use, but I'm not sure I'm a fan of further lockdown in that department.

fun fact, part of the reason this botnet exists is because europe required the ability to install security updates unattended that you cannot disable and they compromised one of the servers that had the capability to push these updates compromising hundreds of thousands of routers.