PhantomL0rd talks about his ordeal

By Dean Takahashi

Game streamer shares his ordeal of hacker attacks and a terrifying police raid

A gamer who goes by the handle PhantomL0rd explained his full ordeal of the last 24 hours (as of publication time) as hackers attacked his livestream on Twitch and police raided his home in response to an apparent prank call.

James “PhantomL0rd” Varga said in his video explanation that he hadn’t slept in 24 hours. For some reason, PhantomL0rd became the target of a hacker or hacker group that went by the name DERP. They targeted him, apparently for “lulz,” or laughs, inside his games and then made prank calls to the police, sending them out multiple times to his home. Now PhantomL0rd has made a lengthy video recording explaining what happened.

He woke up around 8:30 p.m. on Sunday morning, Dec. 29. He watched a fellow player on Twitch, a video service that players can use to livestream video of their game sessions to an internet audience. He streamed his own game sessions and found that his game session was getting interrupted. A hacker named DERP claimed credit for this. PhantomL0rd was trying to stream a session of Quake Live, and it wouldn’t work.

“He was saying [on the Twitch chat] that he was doing these things,” PhantomL0rd said.
Twitch/YouTube

PhantomL0rd gives a lengthy explanation of what happened.

PhantomL0rd said he tried other games and was drawn back to the Twitter messages of this one person who was making claims on the social-messaging service.

“Every game I was playing, it was done,” PhantomL0rd said. “I couldn’t play. Dota 2 got taken down. … So I was thinking this guy could be doing it.”

Other players were noticing and saying that the tweets were fake and that the hacker wasn’t doing it. Then another game, Oceanic, went down, and PhantomL0rd decided the trolling by DERP must have been real, taking down multiple servers, including games hosting League of Legends, Club Penguin, and others. A Reddit post went up, and PhantomL0rd started getting a big audience.

He was nearing his peak audience of 140,000 concurrent users watching his stream. PhantomL0rd said he didn’t stop because he streams for a living and he didn’t want to stop his job when it was at its peak.

Before he became a live-streamer, PhantomL0rd said he didn’t have $1,000 in his bank account. When viewers on Twitch started giving him donations, he cried out of joy. So he wasn’t going to quit, and he wanted to find out why it was happening and when the games would come back.

He also felt like he was a reporter working on a big story. In no way did he feel like he was fanning the flames with the hackers by staying online.

“I felt like I was being held hostage,” he said. “Every game I tried to play was taken down.”

Then the hacker showed PhantomL0rd’s real name and wrote, “The police may be coming.”
Twitch

PhantomL0rd has been hacked.

It’s common for hackers to make prank calls to the police.

PhantomL0rd went outside and saw a pizza delivery guy, who was acting strange and pointing at him. PhantomL0rd said he walked down a hill and then spied three police cars and about seven police officers. He saw one police officer, leaning against a tree and was pointing an automatic gun straight at him.

“You could clearly see how intense this gun is,” he said. “I wasn’t scared. I knew what was going on. I was aware of the full situation. I was ready to explain all of this.”

But the police officer told him to turn around and walk backwards with his hands behind his head. More police officers were coming. The officer put handcuffs on him. Now there were about 15 police officers, including the police chief. PhantomL0rd tried to explain his streaming and the hacker attack to a big “white guy” police officer. The officer put him in the car.

“He didn’t give a fuck what I was saying,” PhantomL0rd said.

Then they opened the door later and let him out.

“I later found out that the threat was something like a hostage situation, that I was holding five people hostage,” he added. “That’s why they were that serious. I realized in the car that I have respect for the police. I’m a pussy. If shit would happen like that, no fucking way. Those people can do that. I just talk about dicks on the Internet. A huge respect came out in that car.”

Most of the officers left. At that point, PhantomL0rd took screenshots and video of the officers so he could prove he wasn’t lying. He showed the phone video on his live stream.

During the video explanation, PhantomL0rd had to interrupt his talk to deal with the sixth prank delivery that hackers ordered for him from Domino’s Pizza.

“I feel sorry for them,” he said of the pizza delivery guy. “They’re hustling. Doing what I did.”

PhantomL0rd said he was very scared by the whole ordeal. If this hacker could take down the servers of billion-dollar game companies, the conclusion was terrifying.

“What can he do to me?” PhantomL0rd said. “He can destroy me. Honestly, if anyone decides they want to get you, they can. My information is out there. He released everything on the Internet. How easy was that?”

Twitch said in a statement that the incident was isolated and there was no breach of its own security. Riot Games said in a tweet that it was a target of distributed denial of service attacks on Monday and that it was investigating.

He apologized to the companies whose servers were affected and the gamers who were offline. He said it wasn’t his intention to stir up anything. He also warned that his attackers said, “This was a test. I have no idea what the finale will be.”

Here’s the video explanation.





Twitch/YouTube
PhantomL0rd explains what happened to him on Twitch.

DoS attacks that took down big game sites abused Web’s time-synch protocol

DoS attacks taking down game sites deliver crippling 100 Gbps

Edit

DoS attacks taking down game sites deliver crippling 100 Gbps

Campaigns cost celebrity players dearly by disrupting lucrative video streams.

By Dan Goodin

Recent denial-of-service attacks taking down League of Legends and other popular gaming services are doing more than just wielding a rarely-seen technique to vastly amplify the amount of junk traffic directed at targets. In at least some cases, their devastating effects can deprive celebrity game players of huge amounts of money.

As Ars reported last week, the attacks are abusing the Internet's Network Time Protocol (NTP), which is used to synchronize computers to within a few milliseconds of Coordinated Universal Time. A command of just 234 bytes is enough to cause some NTP servers to return a list of up to 600 machines that have previously used its time-syncing service. The dynamic creates an ideal condition for DoS attacks. Attackers send a modest-sized request to NTP servers and manipulate the commands to make them appear as if they came from one of the targeted gaming services. The NTP servers, which may be located in dozens or even hundreds of locations all over the world, in turn send the targets responses that could be tens or hundreds of times bigger than the spoofed request. The technique floods gaming servers with as much as 100Gbps, all but guaranteeing that they'll be taken down unless operators take specific precautions ahead of time.

Among the recent targets of this type of attack are game servers used by celebrity players who broadcast live video streams of their gaming prowess that are viewed as many as 50,000 times. In some cases, the massive audiences translate into tens of thousands of dollars per month, as ads are displayed beside video feeds of the players blowing away opponents in Dota 2 and other games.

"These people generate revenue using game servers, so when they're attacked it creates dramatic financial loss for them," said Matt Mahvi, CEO and founder of Staminus, a service that blocks more than 100,000 DoS attacks each month. "I can see that our customers were streaming [and] their game servers were being attacked. I'm seeing these massive, massive attacks that come in against our customers."

Mahvi said that over the past month or so the vast majority of DoS campaigns reaching 40Gbps and above have relied on NTP abuse. In the past, such "volumetric" attacks—meaning those that rely on massive volumes of data to overwhelm their targets—were mostly made possible through so-called DNS amplification techniques. This much older and better-known method allows attackers to magnify attacks by a factor of about eight. It works by sending IP lookup requests with spoofed source addresses to open domain name system servers, which in turn bombard targets with lengthy replies. Late last year, the NTP technique came into vogue, possibly as many DoS victims learned how to better defend against the DNS attacks.

A graph showing a 90-Gbps attack on one Staminus customer. Staminus CEO Matt Mahvi said some attacks approach or exceed 100 Gbps. Staminus

"What we have is a situation where the very large volumetric attacks have a high tendency of being NTP-based floods right now," Mahvi said. "The second aspect to this is that whoever is doing this or has access to these floods seems to also have access to very, very large TCP based attacks as well. So what we're seeing is a flip between volumetric and high-packet per second attacks."

The result is a one-two punch. With floods approaching 100 Gbps, they're among the bigger DoS attacks menacing the Internet (certainly bigger than the 65Gbps campaigns reported in late 2012 by Cloudflare, but smaller than the 300 Gbps attacks that some ISP's experienced in the past year). In addition to the massive bandwidth, the attacks direct a crippling number of data packets at the targets. The torrents of syn-ack packets based on the transmission control protocol can bombard a server with an astounding 80 million packets per second. For context, Mahvi said, the Apache Web server will generally crash once it receives 500 packets per second, while the HTTP server Nginx will die at about 5,000 packets per second.

The combination of NTP attacks and TCP packets have been directed at a variety of Staminus customers in recent weeks, including including several popular top Minecraft servers and Minecraft celebrity streamers, whom Mahvi declined to identify by name. The player frequently streams his online playing in channels that attract huge numbers of viewers. Attacks that disrupt the player appear similar to those that recently targeted PhantomL0rd, a popular League of Legends player who regularly broadcasts his gameplay over Twitch TV.

The amount of amplification available through NTP-based attacks depends on several variables, including the specific server that's being abused and the command an attacker chooses. John Graham-Cumming, a researcher at DoS protection service Cloudflare, said typical attacks amplify a 234-byte request sent by an attacker into a response split across 10 packets that totals 4,460 bytes.

"That's an amplification factor of 19x, and because the response is sent in many packets, an attack using this would consume a large amount of bandwidth and have a high packet rate," Graham-Cumming wrote late last week. NTP Servers that are particularly popular could potentially do much more damage. Using the MON_GETLIST command to cause it to send the addresses of the past 600 computers that have interacted with the server, the amplification factor could reach about 206.

The Cloudflare blog post and a separate one from Staminus both strongly advise server operators to upgrade to NTP version 4.2.7p26 or later. Those versions have been patched against a weakness involving the MON_GETLIST command that's ripe for abuse. NTP server operators should also see this resource from Team Cymru.Recent denial-of-service attacks taking down League of Legends and other popular gaming services are doing more than just wielding a rarely-seen technique to vastly amplify the amount of junk traffic directed at targets. In at least some cases, their devastating effects can deprive celebrity game players of huge amounts of money.

As Ars reported last week, the attacks are abusing the Internet's Network Time Protocol (NTP), which is used to synchronize computers to within a few milliseconds of Coordinated Universal Time. A command of just 234 bytes is enough to cause some NTP servers to return a list of up to 600 machines that have previously used its time-syncing service. The dynamic creates an ideal condition for DoS attacks. Attackers send a modest-sized request to NTP servers and manipulate the commands to make them appear as if they came from one of the targeted gaming services. The NTP servers, which may be located in dozens or even hundreds of locations all over the world, in turn send the targets responses that could be tens or hundreds of times bigger than the spoofed request. The technique floods gaming servers with as much as 100Gbps, all but guaranteeing that they'll be taken down unless operators take specific precautions ahead of time.

Among the recent targets of this type of attack are game servers used by celebrity players who broadcast live video streams of their gaming prowess that are viewed as many as 50,000 times. In some cases, the massive audiences translate into tens of thousands of dollars per month, as ads are displayed beside video feeds of the players blowing away opponents in Dota 2 and other games.

"These people generate revenue using game servers, so when they're attacked it creates dramatic financial loss for them," said Matt Mahvi, CEO and founder of Staminus, a service that blocks more than 100,000 DoS attacks each month. "I can see that our customers were streaming [and] their game servers were being attacked. I'm seeing these massive, massive attacks that come in against our customers."

Mahvi said that over the past month or so the vast majority of DoS campaigns reaching 40Gbps and above have relied on NTP abuse. In the past, such "volumetric" attacks—meaning those that rely on massive volumes of data to overwhelm their targets—were mostly made possible through so-called DNS amplification techniques. This much older and better-known method allows attackers to magnify attacks by a factor of about eight. It works by sending IP lookup requests with spoofed source addresses to open domain name system servers, which in turn bombard targets with lengthy replies. Late last year, the NTP technique came into vogue, possibly as many DoS victims learned how to better defend against the DNS attacks.
Enlarge / A graph showing a 90-Gbps attack on one Staminus customer. Staminus CEO Matt Mahvi said some attacks approach or exceed 100 Gbps. Staminus

"What we have is a situation where the very large volumetric attacks have a high tendency of being NTP-based floods right now," Mahvi said. "The second aspect to this is that whoever is doing this or has access to these floods seems to also have access to very, very large TCP based attacks as well. So what we're seeing is a flip between volumetric and high-packet per second attacks."

The result is a one-two punch. With floods approaching 100Gbps, they're among the bigger DoS attacks menacing the Internet (certainly bigger than the 65Gbps campaigns reported in late 2012 by Cloudflare, but smaller than the 300Gbps attacks that some ISPs experienced in the past year). In addition to the massive bandwidth, the attacks direct a crippling number of data packets at the targets. The torrents of syn-ack packets based on the transmission control protocol can bombard a server with an astounding 80 million packets per second. For context, Mahvi said, the Apache Web server will generally crash once it receives 500 packets per second, while the HTTP server Nginx will die at about 5,000 packets per second.

The combination of NTP attacks and TCP packets have been directed at a variety of Staminus customers in recent weeks, including including several popular top Minecraft servers and Minecraft celebrity streamers, whom Mahvi declined to identify by name. The player frequently streams his online playing in channels that attract huge numbers of viewers. Attacks that disrupt the player appear similar to those that recently targeted PhantomL0rd, a popular League of Legends player who regularly broadcasts his gameplay over Twitch TV.

The amount of amplification available through NTP-based attacks depends on several variables, including the specific server that's being abused and the command an attacker chooses. John Graham-Cumming, a researcher at DoS protection service Cloudflare, said typical attacks amplify a 234-byte request sent by an attacker into a response split across 10 packets that totals 4,460 bytes.

"That's an amplification factor of 19x, and because the response is sent in many packets, an attack using this would consume a large amount of bandwidth and have a high packet rate," Graham-Cumming wrote late last week. NTP Servers that are particularly popular could potentially do much more damage. Using the MON_GETLIST command to cause it to send the addresses of the past 600 computers that have interacted with the server, the amplification factor could reach about 206.

The Cloudflare blog post and a separate one from Staminus both strongly advise server operators to upgrade to NTP version 4.2.7p26 or later. Those versions have been patched against a weakness involving the MON_GETLIST command that's ripe for abuse. NTP server operators should also see this resource from Team Cymru.