The Rising Concern of Forced Disconnection Attacks

A string of recent reports over "well-timed" disconnections raises player denial-of-service attack concerns.

On March 28, a player waiting at a shallow 200/400 NL table was joined by BartonPro1. Almost immediately the pair were involved in a big hand: Our hero, holding two pair and a flush draw on the turn, bets out $1800 into the swelling $3600 pot.

This article was originally published exclusively on pokerfuse PRO on April 18, 2013. It has now been republished on for free. Pokerfuse PRO is a new premium subscription site with exclusive poker industry news and features published every weekday. Interested? Find out more and sign up today!

Then, inexplicably, our hero experiences heavy lag. Before he can see the river card, he disconnects from the poker room. When he manages to reconnect a minute or two later, he finds that he timed out of the hand, and is out more than $5000. His opponent has gone.

Of course, there is nothing unique to the story: internet connection issues are only too common in online poker. However, evidence suggests that, at least in some of these cases, there may be more at play.

Two forum threads on 2+2 (1, 2) have recently emerged that indicate players may be victims of targeted forced disconnections—denial of service (DoS) attacks that temporarily disable a player’s internet connection. Disconnections are timed so that the victim either times out at a critical point in a pot, causing them to forfeit their hand, or disconnects for long enough that they blind out of a fast-structure Heads Up Sit and Go tournament.

Evidence put forward in the threads is circumstantial but difficult to ignore. Members have identified accounts that have been repeat “benefactors” from disconnections, have unusually high win-rates and receive well-timed seating at tournaments just as the opponent disconnects.

The evidence presented in specific cases may be inconclusive; however, the theory at least is sound. Not only are targeted denial of service attacks against players plausible, they are likely. There has been a rising trend in other online gaming of such attacks, and there’s no doubt online poker provides a uniquely profitable opportunity for the scam.

The Theory

Denial of service attacks (DoS) are synonymous with large-scale attacks against banks, payment processors and other large-scale public-facing websites, either for idiological reasons or for straight up profit.

DoS attacks aim to saturate the target machine with floods of bogus inbound traffic to the extent that servers are unavailable to deal with legitimate requests. Distributed attacks (DDoS) use multiple machines—commonly “botnets,” large networks of compromised machines that are under control of a host—to devastating effect, successfully making even the largest online infrastructures inaccessible for hours, even days.

But the exploit is not only used against websites. Assuming the public IP address of an individual is known, similar techniques can be used to overload a home internet connection. If a router is flooded with incoming TCP or UDP packets, it can temporarily prevent it from dealing with legitimate internet traffic, and the home user temporarily offline.

The Practice

If that seems far-fetched, think again: In the world of competitive online gaming, denial of service attacks are now commonplace.

Community forums for online gaming services are littered with players claiming to be victims of denial of service attacks. In one community for the game DoTA 2, a popular real-time strategy game, three competitive matches in the last week alone have been disrupted by DoS attacks.

Keep in mind that in most of these games, no money is at stake—only internet pride. “Raging”—a video game term similar to poker’s “tilt”—is the usual explanation given for DDoS attacks.

In online poker, of course, the rewards are much clearer. With $1000 hyper-turbo sit-and-go’s in which players could blind out in minutes, and five- and six-figures pots that players could time out and fold, the stakes are high.

Recommendations for Players and Operators

The attack is only possible if the IP address of the victim is known, and the address can be associated with a poker screen name.

The ubiquitous Skype, the “standard” for instant messaging in the online poker world, has a particular security flaw that exposes your IP address when you are connected. If you know someone’s Skype username and that person is online, their IP address can be revealed using a simple web-based service — you don’t even have to be accepted as a Skype friend.

Of course, accessing any website will expose IP addresses to server logs. Poker forums pose a particular concern, as one common feature is for the IP addresses of all posters to be exposed to moderators in order to curb spam. If a player ties their poker screen name to their forum account, an unscrupulous mod could use or sell this IP address information.

Players should be aware of the dangers in exposing their IP address, and operators should know when to educate concerned players over these risks.

One-man denial of service attacks are simple to carry out. Open-source software like LOIC is free to download and user-friendly enough to conduct a simple DoS attempt, even for an inexperienced computer user, and this could be sufficient to disrupt a player’s Internet access temporarily.

According to Gus Fritschie, avid poker player and Chief Technology Officer at SeNet International, DoS attacks become easier to conduct when the attacker is on the same Local Area Network (LAN) or Wireless LAN (WLAN) as the targeted player such as at a large live tournament series where players may also be playing online poker.

Though technically more difficult to carry out than simple DoS attacks, DDoS attacks can now be rented out; bot-net for hire can be purchased online for surprisingly reasonable rates. These more sophisticated attacks using distributed systems, however, are going to be impossible for a poker client to detect, either from the villain or the victim end.

Even so, operators should alert their security professionals of the real possibility of disconnection attacks, and look out for repeat “benefactors” of player disconnections. If sufficient red flags are raised, players can blocked from sitting at certain high-target tables (hyper turbo SNGs and high stakes HU big-bet tables) as a necessary precaution.