Most video games utilize peer-to-peer traffic (which is why many require port forwarding/UPnP), so the attacker has the IP addresses of all of their peers in their firewall logs. There are even 'gaming routers' that specialize in gaming this peer-to-peer system for competitive advantages, such as specifically blocking the IPs of players you don't want to play against:
https://netduma.com/why/for-gamers/ Once an attacker has identified his target, getting the IP is as simple as joining/being in an online game with that player. On Mon, Sep 21, 2015 at 5:00 AM, <frnk...@iname.com> wrote: > 99% of the attacks we see are gaming related -- somehow the other players > know the IP and then attack our customer for an advantage in the game, or > retribution. > > Most DHCP servers (correctly) give the same IP address if the CPE is > rebooted. Ours are one of those. =) > > Frank > > -----Original Message----- > From: Mehmet Akcin [mailto:meh...@akcin.net] > Sent: Saturday, September 19, 2015 3:10 PM > To: Frank Bulk <frnk...@iname.com> > Cc: nanog@nanog.org > Subject: Re: DDoS auto-mitigation best practices (for eyeball networks) > > How does he/she become target? How does IP address gets exposed? > > I guess simplest way is to reboot modem and hope to get new ip (or call n > request) > > Mehmet > > > On Sep 19, 2015, at 12:54, Frank Bulk <frnk...@iname.com> wrote: > > > > Could the community share some DDoS auto-mitigation best practices for > > eyeball networks, where the target is a residential broadband subscriber? > > I'm not asking so much about the customer communication as much as > > configuration of any thresholds or settings, such as: > > - minimum traffic volume before responding (for volumetric attacks) > > - minimum time to wait before responding > > - filter percentage: 100% of the traffic toward target (or if volumetric, > > just a certain percentage)? > > - time before mitigation is automatically removed > > - and if the attack should recur shortly thereafter, time to respond and > > remove again > > - use of an upstream provider(s) mitigation services versus one's own > > mitigation tools > > - network placement of mitigation (presumably upstream as possible) > > - and anything else > > > > I ask about best practice for broadband subscribers on eyeball networks > > because it's different environment than data center and hosting > environments > > or when one's network is being used to DDoS a target. > > > > Regards, > > > > Frank > > > > >