Skip to content ↓ | Skip to navigation ↓

This year a popular gift for many was a next-generation gaming console. The two most popular consoles are Microsoft’s XBox One and Sony’s Playstation 4. Both consoles feature increased hardware specs with better graphics and other features along with a number of new games. However, one key feature for both consoles is the network the devices connect to in order to power online game play and other features.

On Christmas Eve both the XBox Live and Playstation Network were targeted in a DDoS attack, apparently by a group called LizardSquad. They attack brought both networks down for more than 24 hours. The Microsoft network was back up in the afternoon Christmas Day, however the Sony Playstation network has yet to recover three days after the attack frustrating many who recently purchased the consoles.

Will Continued PS4 Network Outage Impact Sales?

In the highly competitive console wars network outages can have a significant impact on buyer sentiment. Particularly after Christmas as many people try to log into the network for the first time. Many new  Playstation 4 owners are frustrated and took to Twitter to complain, many even saying they plan to return their PS4 for an XBox One.  DDoS attacks are usually an inconvenience, but in the world of gaming, network resiliency can have a significant impact on how consumers view the product as a whole and impact buying decisions. It will be interesting to see how the outage actually affects the number of returns and overall sales of the consoles in the coming months.

LizardSquad May Be Using Google Cloud Free Trial for Attack 

One security researcher investigating the LizardSquad attacks noticed some interesting things with regards to their IRC channel that may indicate the group is using free trials of Google Cloud services for their attack. The findings were posted on Pastebin here.

After joining lizardsquads IRC network (hosted by OVH) I noticed a flaw.
Even though their were 290 users in their channel, their were 4200 users on the network.
This prompted me to do a /who * (which would show users without usermode +i enabled)

I was promptly flooded off their IRC network with lines of text such as this.

[04:26:35] •›› Who: [*] HZWJJF H DGRDYMOM@221.212.155.104.bc.googleusercontent.com KSUUZF
[04:26:35] •›› Who: [*] JWJMVO H FMTIU@13.214.155.104.bc.googleusercontent.com UMKQTRQ
[04:26:35] •›› Who: [*] VQJAUBTT H XRHF@33.218.155.104.bc.googleusercontent.com ZKYJ
[04:26:35] •›› Who: [*] SSTHW H NKRCJBM@127.210.155.104.bc.googleusercontent.com LYIBCZ
[04:26:35] •›› Who: [*] LXIZQPLJ H WHXLFA@254.212.155.104.bc.googleusercontent.com QCPCE

With this being said and my extenstive research into botnet culture. I am able to identify several characteristics that leads me to believe said machines are infected with a linux bot known as Kaiten (detectable as Trojan.Tsunami.B in ClamAV).

The post continues with a listing of all the IPs believed to be part of the attack that are infected with Kaiten which number more than 2,500.