2018 H1 Gaming Industry DDoS Attack Landscape and Mitigation Recommendations

The 2018 global gaming market report indicated that there were 2.3 billion gamers worldwide, spending $137.9 billion on games. China alone accounted for $37.9 billion, over 25% of global revenue, making it the largest market in both revenue and player count.

With the rapid growth of the gaming business, DDoS attacks targeting the industry have surged. In 2018, MEMCACHED reflection attacks were widely used, pushing global DDoS peaks to 1.7 Tbps, and Tencent Cloud also experienced Tbps‑level attacks.

This "2018 H1 Gaming Industry DDoS Situation Report" leverages Tencent Cloud’s Zeus Shield protection data to analyze attack volume, peak traffic, regional distribution, attack sources, methods, and typical cases.

Overall Attack Landscape

Global DDoS peak traffic reached 1.7 Tbps in 2018, a 112% YoY increase. Attack counts slightly decreased (‑10% YoY), while peak traffic on Tencent Cloud rose to 1.23 Tbps, a 134% YoY increase.

Attacks exceeding 100 Gbps occurred over 1,000 times in H1, about one‑quarter of the previous year’s volume. Most high‑traffic attacks (72%) fell in the 100‑200 Gbps range.

Industry Distribution

The gaming sector suffered the highest share of DDoS attacks, accounting for nearly 40% of all incidents. Other notable targets include network services (4%) and corporate portals (2%).

Regional Distribution

Attacked enterprises are concentrated in economically developed coastal provinces (e.g., Jiangsu, Zhejiang, Guangdong) and also in provinces such as Shandong, Sichuan, Shaanxi, Henan, Hubei, and Hunan. At the city level, 78% of attacks target first‑tier and new‑first‑tier cities.

Black‑Market Attack Sources

Three main types of DDoS criminal groups were identified:

Advanced multinational groups with strong technical capabilities, targeting major gaming sites for commissions.

Page‑side platforms that purchase foreign botnets and host attack services, often behind Cloudflare.

Independent attackers with limited resources, operating on a freelance basis.

In H1 2018, over 15 million attack sources were recorded, 59% domestic (mainly in the Bohai Rim, Jiangsu‑Zhejiang, and Guangdong) and 41% foreign (primarily the United States, Russia, and Argentina).

Attack Methods

UDP‑FLOOD and SYN‑FLOOD remain the dominant techniques, with UDP reflection attacks accounting for ~60% of all methods due to high amplification and anonymity.

Newly observed methods include:

MEMCACHED reflection (up to 50,000× amplification), rising from <1% to 31% of attacks within six months.

IPMI‑based UDP reflection (1.1× amplification), mainly sourced from North America and Europe.

TCP‑based reflection attacks that spoof victim IPs, causing massive SYN‑ACK floods and CPU overload.

Gaming Industry Impact

Key metrics for gaming DDoS attacks in H1 2018:

Attack share: 39% (highest among all industries).

Peak traffic: 1.23 Tbps.

Average peak: 9.4 Gbps.

Average duration: 1,759 seconds; longest: 766,744 seconds.

Average cost per attack: ¥300 (high‑defense users ¥500, poker games ¥5,000‑10,000 per day).

Sub‑sector distribution: mobile games (32%), web games (15%), and poker games (9%) bear the most attacks.

Attack timing analysis shows that 58% of incidents last less than 5 minutes, while 5% exceed 12 hours. Attackers are active year‑round, with spikes during holidays (e.g., New Year) and peak activity between 21:00‑23:00 daily.

Case Studies

1. “Room‑bombing” by a cheating group: Used third‑party traffic‑testing services and UDP reflection to force disconnections and improve game rankings. Defense employed watermarking and dynamic protection, achieving 100% mitigation.

2. Tencent Cloud’s defense against a 1.23 Tbps attack: Coordinated response with the client’s ops team, deployed T‑level high‑defense nodes, and successfully mitigated the largest domestic DDoS attack recorded.

3. First IPv6‑targeted DDoS attack: Detected 1,900 IPv6 addresses attacking a DNS server, prompting deployment of dual‑stack protection.

Mitigation Recommendations

Benchmark customers: Deploy BGP high‑defense IP + three‑network high‑defense IP, use shared protection packages, subscribe to threat intelligence, and engage expert services for high‑level threats.

Growth‑stage customers: Similar BGP high‑defense deployment, purchase large‑capacity three‑network protection during massive attacks, and block traffic from overseas or non‑target provinces.

Traditional PC‑game customers: Use shared high‑defense packages, integrate with industry‑specific solutions, and consider watermarking for new releases.

Mobile game customers: Enable elastic BGP high‑defense for core services, adopt industry solutions with CDN and acceleration, and consider overseas high‑defense.

For more details on Tencent Cloud’s next‑generation high‑defense products, visit: https://cloud.tencent.com/product/aegis