Skip to main content Skip to search
Start Your Free Trial

Online Gaming Needs a Zero-Trust DDoS Defense

New Rules of the Game: Only the Trusted May Enter

DDoS attackers continue to innovate so leaving your digital front door open and waiting to react against a DDoS attack just doesn’t cut it anymore. Adrenaline-fueled gaming platform operators need to apply zero-trust principles. The concept of zero trust, which was developed by former Forrester Research analyst, John Kindervag in 2010, rests on the mind-set that organizations should not automatically trust anything inside or outside the network perimeter. Anything trying to connect to the network must be verified prior to being granted access.

To the gaming provider, this means that they must only allow players who have passed multiple checks to access the game. Then they need to continue to check the player’s behavior against denial of service characteristics. To everyone or anything else, the system is blacked out from unwanted accesses.

This is a necessary step because, for security specialists defending online gaming platforms, disgruntled gamers aren’t the only source of attacks. With the rise of professional leagues and college esports programs, the stakes are getting ever higher to keep the gaming systems available. On the attacker side, advances in the DDoS-for-hire services have democratized attacks to any motivated technology novice.

Reactive, One Step Behind the Attack

Traditional DDoS defenses are reactive. When an attack is discovered, legacy DDoS defenses jump to apply a brute force clamping filter to prevent the system from being overwhelmed. These filters, operating on aggregate destination traffic, can’t discriminate between legitimate versus an attacker’s traffic. Then the defense team scrambles to analyze packets to discover a filter that hopefully blocks the aggressive traffic swell. Humans analyzing traffic in this environment require packet analysis skills that need trial and error cycles. Furthermore, the reactive post attack analysis is inherently slow and frustrates impacted gamers.

Get Ahead of Attackers with Zero-Trust

A better approach is to take a proactive zero-trust posture with DDoS defenses. Zero-trust requires operators to assume the internet is hostile. Defenses test every access with multiple checks on a continuous basis for legitimate access rights before passing the perimeter. Even after the player is given access, checks continue to prevent authenticated players from going rogue. For gaming operators, there’s an additional requirement: ensuring that validation measures aren’t impacting user experience and are taking place in real-time.

Zero-trust Networks

  • The network is always assumed to be hostile
  • External and internal threats exist on the network at all times
  • Every device user, and network flow is authenticated and authorized.
  • Policies must be dynamic and calculated from as many sources of data as possible.

Doug Barth and Evan Gilman


Effective zero-trust DDoS defense consists of a pipeline of checks that:

  • Verify the IP address is not an identified DDoS agent
  • Inspect packets for authenticated IP addresses
  • Validate that a gamer’s traffic fits acceptable behavioral limits
  • Ensure all of the player packets carry a valid secret token
  • Check that the player’s traffic does not exhibit the distributed patterns of a DDoS attack

The Five Ways of Zero-Trust DDoS Defense

symbol legend

The workhorse of the zero-trust DDoS defense is a packet-based mitigation solution, like the A10 Networks’ Thunder® Threat Protection System (TPS). The mitigation solution sits between the edge router and the firewall and separates the good traffic from the malicious traffic by applying zero-trust principles. The Thunder TPS is connected via an API to the A10 aGalaxy® TPS, which is a management system for the organization’s DDoS defenses.

Block Toxic IP Address with DDoS Weapons Intelligence at Internet Scale

Unlike traditional security where defenders search through haystacks of noise to find hidden signals from an individual intruder, DDoS is loud and sourced from a large number of distributed attack agents. DDoS threat researchers inventory the IP address of malware-infected DDoS botnets and exposed reflected amplification servers that are regularly used as DDoS agents.

curated inventory of DDoS weapons

The curated inventory of DDoS weapons is then continuously fed to the DDoS defense platform to create a blacklist to block toxic IPs proactively at network edge. Today, A10 Networks is tracking over 20 million weaponized DDoS agents. For weapons blacklisting to be effective, the defense system must have a sizeable class-list table to support millions or entries.

Here’s how it works:

tracking weaponized DDoS agents


Block Unauthenticated Accesses

Any player sending traffic to the gaming platform must first register with the authentication server. The perimeter defense then checks every UDP packet’s source IP address against a continuously refreshed local copy of authentication server database. This ensures that only active registered players have access to the platform. As in the case of weapons blacklisting, the challenge comes in performing the authentication check on every packet in real-time at a scale of millions of valid gamers’ IP addresses entering and exiting the platform.

Here’s how it works:

Block Unauthenticated Accesses


Block Unwanted and Unusual Behavior

From an operator’s perspective, there are elements of player behavior that are understood. After all, they are playing the game on a singular purpose-built platform. It is not like a player can start an FTP transfer right in the middle of a battle. The control of the platform allows the operator to create rules of acceptable behavior. These rules are traffic pattern models similar to defining an aperture of acceptable behavior at Layer 3 and 4 of the network stack. Any deviation from the profile is rate-limited or blocked.

Player Traffic Limit Controls

How it works:

Block Unwanted and Unusual Behavior


Verify Time-Sensitive Watermarks on Every Packet

Secrets are another effective way of distinguishing legitimate users from attacking agents. Watermarking packets is a method of appending a time-sensitive secret token to the payload of a gamer’s traffic. The player’s machine, the authentication server, and the DDoS defense solution are the only ones who know this secret. The DDoS defense solution will inspect every packet entering the gaming platform for a valid token and block any access that includes an expired token or those without a token. For example, time-sensitive watermarking is an effective way to stop disgruntled, yet authenticated players from spraying recorded PCAPs with expired tokens to cause a DoS event that disqualifies the session.

Here’s how it works:

Verify Time-Sensitive Watermarks on Every PacketVerify Time-Sensitive Watermarks on Every Packet


Defense-in-Depth, Zero-day Attack Pattern Recognition

Unfortunately for defenders, the well-funded attacker ecosystem continues to innovate. Gaming operators must take a defense-in-depth approach with mitigation pipelines that include machine learning capabilities that recognize DDoS patterns so they can cover zero-day attacks dynamically. Patterns are an effective way to identify DDoS traffic because the first “D” in DDoS is distributed. An attacker’s command and control gives coordinated attack vector instructions to pools of bots or internet exposed reflected amplifier (e.g. DNS, NTP, SSDP, etc.). A machine learning algorithm can analyze ingress traffic and quickly develop attack pattern filters that scrub the traffic clean.

Here’s how it works:

Defense-in-Depth, Zero-day Attack Pattern Recognition


Online gaming is an environment of big wins and potentially mega losses for platform operators. Gamers are fickle; one bad experience can send them off to the next shiny title. Gaming platform operators can now enhance their defenses with zero-trust principles that protect their player’s experience and ensure DDoS resilience.

To learn more about Zero-trust DDoS defense visit and follow these links:

Acronym Glossary

  • BPS – Bits per Second
  • CPS – Connections per Second
  • DDoS – Distributed Denial of Service
  • DNS – Domain Name System
  • DoS – Denial of Service
  • FTP – File Transfer Protocol
  • GET – HTTP method
  • NTP – Network Time Protocol
  • PCAP – Packet Capture
  • POST – HTTP method
  • PPS – Packets per Second
  • RPS – Requests per Second
  • SSDP – Simple Service Discovery Protocol
  • SSL – Secure Sockets Layer
  • UDP – User Datagram Protocol
  • URI – Uniform Resource Identifier