Unexpected "technical issues" forced online-poker giant PokerStars.com offline for roughly 18 hours on Sunday and early morning and disrupted one of PokerStars' most important Sundays of the year. The outage, not yet publicly explained, resulted in the cancellation of most of the day's tournament slate, including the high-profile main events in Stars' long-running World Championship of Online Poker (WCOOP) series.
The WCOOP's Event #92-H, the $10,300 NLHE "High Roller" Championship, was barely underway when players around the globe began experiencing significant lag and timing out without being able to act. PokerStars paused all action on the site within minutes while attempting to update its player base on the situation via social media:
PokerStars also posted an image of its cancellation-and-refunds policy on its account, since that page was also inaccessible during the downtime. The affected tourneys, involving millions of dollars in guarantees, will be refunded according to Stars' "Roll Forward" contingency plan, which calls for a refund of fees to all players still in the events. In the Event #92-H main, which had just reached Level 4, only eight of 297 entrants had busted, and the field was hours away from reaching the money. Once buy-in refunds are issued, any remaining prize-pool money is distributed according to an ICM-based chip chop.
The tweets show that PokerStars battled the unspecified "technical issues" for roughly two hours before abandoning the hoped-for resumption of play. Hundreds of players expressed their ire online over the situation, but no other solution appeared readily available, since players could not reasonably be forced to wait indefinitely. PokerStars will issue the refunds over the coming days while also coming up with a plan for addressing the unexpected crater left in the history of one of the site's most popular and important series.
DDoS attack among possible explanations for downtime
Though PokerStars has yet to issue any statement about the causes behind the cited technical issues, an external DDoS (distributed denial of service) attack launched by malicious actors is among the possibilities. Such attacks are typically extortion-based and can involve thousands of computers around the globe being manipulated to direct unwanted traffic toward the targeted servers. The computers used in the attack are typically compromised via computer viruses embedded in malware or inserted via other means, unbeknownst to their owners.
When launched, a DDoS attack floods a server with so much traffic that it can exceed the server's ability to respond to any traffic, whether it's normal traffic -- for example, the gaming engine communicating with users -- or the attack-based junk, which still takes up processing time while being discarded. Mitigation practices can involve blocking addresses from which the junk traffic originates and setting up front-end filters to ensure that only legitimate traffic passes through to the gaming engine.
Unfortunately, the nature of a DDoS attack itself ensures that only a "whack-a-mole" defensive strategy can be employed, and a determined, massive attack can overwhelm even the strongest defensive measures.
Online poker targeted by malicious DDoS attacks for two decades
Online poker and other forms of online gambling have been among the most frequent victims of DDoS attacks over the past 20 years, though the criminal practice has been used against all forms of online commerce. One of the hallmarks of a DDoS attack is for the extortionists to launch it during high-traffic / high-revenue periods on the targeted site.
PokerStars' high-profile WCOOP main events certainly qualify as such as a target, though the online sports-betting industry has been an even larger target over the years. In that market niche, DDoS attacks often coincide with huge wagering events such as the Super Bowl, World Cup, or March Madness (NCAA basketball). The extortionists' scheme is to pose a maximum threat, receive some form of payment (usually in largely untraceable cryptocurrency), then move on to another target.
Most online-poker and gambling sites have been targeted many times over the years, and most victims chose to weather the storms and downtime rather than give in to the extortionists' demands. PokerStars has suffered numerous such attacks, with major episodes occurring most recently in 2016 and 2018. GGPoker, partypoker, and ACR have also suffered publicized DDoS attacks in recent years, but there's likely no large, established site that hasn't been attacked in such a manner.
Though the financial blackmailers try to cover their tracks, an increase in cybersecurity measures by various governments has resulted in some charges being brought against these attackers. A 2015 attack launched against PokerStars, NETeller, and Betfair resulted in Interpol's arrest of two Eastern European hackers who were linked to a much larger cyber-crime group called DD4BC (DDoS 4 Bitcoin). DD4BC disbanded after being cracked by Interpol's investigation, but many similar groups remain active.
Nonetheless, whether or not PokerStars' problems yesterday were a DDoS attack remains unconfirmed conjecture at this time. Sites are attacked more frequently than most users realize. In one almost-comic episode a decade ago, a Stars HU cash-game player was discovered to have found a way to identify the internet address from which his opponent was playing. The cash-game cheater waited until a huge pot was at stake, and he then launched a DDoS attack using purchased software against that specific address, forcing his opponent offline. The forced disconnection for the victim gave the cheater the pot when the targeted player was auto-folded. The scheme lasted only a short while, however, and it was outed when cheated players reported the highly coincidental circumstances to PokerStars, which investigated further.
Featured image source: PokerStars