For those currently working on metaverse creation, we strongly recommend that you address the issues of protection against DDoS attacks and resilience to DDoS impacts in advance.
Otherwise, there is a high probability that one day these metaverses will literally collapse in front of many thousands or even millions of their users.
Table of Contents
Metaverses – At The Dawn Of Evolution
By the end of 2021, the IT industry is talking amicably about the upcoming creation of metaverses. And although the wave of reports about it died down rather quickly, it is safe to assume that work in this direction will continue.
It may surprise you, but the term “metaverse” is anything but new. According to the idea of its inventor, science fiction writer Neal Town Stephenson, who introduced the term in the novel “Snow Crash”, 1992, the metaverse will be a kind of fusion of the physical and digital worlds, where “the past lives and the nonexistent lives”, where reality will be combined with augmented and virtual reality, and where, according to Stephenson, people will live and work: grow up, study, make acquaintances, make friends, raise children, work, spend their free time, etc.
Current digital environments do not reach the metaverses of their original conception, to say the least, and the devices for immersion in augmented and virtual reality leave much to be desired: some are too imperfect, others too expensive. But there is no doubt that one day they will be as high-end, affordable and mass-produced as smartphones, for example.
By then, the metaverses themselves will have evolved and gone far beyond social networks, blogs, game websites, and other digital spaces popular today. Perhaps the World Wide Web itself awaits a similar evolution: in its more than 30 years of existence, it has integrated itself very organically into our lives.
Cyber And DDoS Risks In The Metaverse
Be that as it may, the metaverses are already taking shape, so some conclusions and assumptions can already be made about these kinds of digital environments.
And perhaps most importantly, the more people immerse themselves in metaverses, the more their daily activities depend on them, and the more critical cyber risks become for both the metaverses themselves and their inhabitants.
You do not have to go far to find examples – it's enough to recall the general confusion of users when the largest social networks were inaccessible due to internal disruptions: Someone could not see messages or chat with friends, someone had a business meeting scheduled in cyberspace, someone had to suspend participation in a joint project, and someone was forced to calculate lost profits…
The causes of metaverse platform outages can be internal glitches and bugs, as well as external influences, including DDoS attacks. The following scenarios are also possible: Attackers incorporate numerous Internet-of-Things devices connected to metaverses into their botnets and use them to launch DDoS attacks against those metaverses themselves or against other cyberspaces, websites, or devices. Clearly, such powerful botnets can be used for cyberterrorism (e.g., attacks on industrial and social facilities, communication and control centers, etc.) and for hybrid wars waged simultaneously in physical and digital reality.
Example Of Online Games
Many cyber risks that will be inherent in the metaverse can be seen and analyzed using online gaming as an example. However, it is necessary to make a small but very important correction: Game users generally do not profit from their stay in the virtual game space, and do not earn money from it. For the vast majority of players, these games are a popular playground for leisure, for which they are willing to invest a lot of time and money. Unlike them, users of metaverses will not only have fun, but will work, practically live in the digital world, and will certainly be annoyed if access to their virtual living and working space is suddenly interrupted or its quality sharply decreases.
It is significant that the gaming industry has traditionally been one of the industries leading in the number of DDoS attacks. As a result, it has managed to accumulate both a rich portfolio of knowledge in the field of protection against such attacks and a sad experience of the consequences of inadequate security of gaming sites.
Experts in the field of information security agree that resistance to cyberattacks and other malicious influences should be created at the design stage of future software systems and services. Otherwise, there is a high probability that the created information system will contain many gaps and vulnerabilities, which will cost a lot of time, effort and money to eliminate. On the contrary, an information system that has been competently designed with the participation of highly qualified information security specialists is much less vulnerable and more resistant to cyber risks, so it is much easier and cheaper to protect.
All of this applies to online games and metaverses: their operators should definitely take care of ensuring security and resilience against cyber risks, including those related to DDoS attacks. And the sooner, the better – so that one day in the gloomy morning you do not have a situation like DDoS snuck up unnoticed.
We refer to protectability as the ability of Internet resources to effectively protect themselves from DDoS attacks with minimal investment of money, time, and effort. For metaverses, protectability will be critical because in large digital spaces the economy of scale is very noticeable. But for operators of modern gaming sites and social media, the trade-off between benefits and costs is also important, so their security must be given due attention.
In our experience, there are four main factors that influence security:
- What and to what extent an attacker can find out about an Internet resource. Ideally, the attacker should know nothing about the resource and should not be able to obtain any information about it.
- What and to what extent does the DDoS protection provider know about the resource. Here the situation is reversed: the better the provider understands what works in the resource and how, the more effectively it can protect that resource.
- What options does the protection provider have to filter attacks? To block illegitimate requests to a resource, the provider must know exactly what legitimate requests look like. The most difficult situation for a provider is when there is no way to distinguish legitimate from illegitimate traffic based on formal characters. Thus, the customer's task is to create in advance the means to make such a distinction and to inform the provider about it before activating DDoS protection.
- Is the resource able to withstand at least weak attacks. The stability of a resource may be compromised as long as some of its components remain without DDoS protection. In addition, the resource must have a sufficient security margin to withstand a weak DDoS attack. This is important because, for various reasons, it is not always possible to filter out 100% of the illegal traffic, and some of it gets to the resource.
Not All DDoS Protection Services And Providers Are Equally Effective
In addition to the security factors, the choice of an anti-DDoS service provider is of course also important.
Today, there are DDoS protection services with different capabilities and qualities. Often, such services are offered by hosting and Internet providers for a small fee or even for free. However, they usually have very limited capabilities and only protect against attacks executed on the network layer (L3 according to the OSI model) and the transport layer (L4), while the application layer (L7) remains unprotected.
The services provided by professional security providers specializing in anti-DDoS also vary widely. For example, not everyone can provide protection against DDoS attacks without exposing the private SSL keys – this is necessary to secure financial services that meet the requirements of the payment system standard PCI DSS or systems whose components exchange confidential data.
Not all providers have sufficient infrastructure and topology to defend against strong modern DDoS attacks. In addition, the location, number, and power of points of presence may be such that the effectiveness of the protection service for a particular customer is unacceptably low.
Providers interact with their customers in very different ways. For example, not everyone is willing to tailor their protection to the needs of the customer and the existing architecture of their Internet applications. Not everyone is helping to increase the resilience of resources against DDoS attacks and so on. Therefore, it is very useful to study the reactions of the protection provider's customers and request a trial period even before signing a contract with them.
In some companies, technical support works slowly. To understand why this is important, you can imagine what happens when the online store's website is unavailable during seasonal peaks in demand. Not everywhere technical support responds promptly outside business hours, while it should be in “full combat readiness” around the clock and all year round.
Since not all providers are the same, you should study them carefully before you start working with them. Otherwise, even connecting several protection services of several providers will not help you if these services are not of sufficient quality.
All these recommendations apply to game websites and metaverses. Based on these recommendations, owners and operators can start building DDoS protection. And when it finally works, you need to remember to systematically test its effectiveness and keep it up-to-date.