I have no idea for sure, but why else the server numbers went down so quickly and so much? About 1 year ago we've had roughly 2,300 KF2 servers. 2 years ago 2,500. Now it's a bit below 1,800. From 2,000 at the beginning of 2023.
Yes, we've mostly got to the bottom of this.
Tamari has nothing to do with it, unless by pure coincidence, but even that is not likely, he's a game developer and gamer, the people behind these DDoS attacks are pros who most likely sell their as they say "booter" or "stresser" services to people who may want to take revenge on someone or get competitive business advantage by taking their competitors offline.
The way it works is through amplification. Gaming, for latency reasons, relies on UDP protocol, which, unlike TCP, doesn't require 2-way handshake protocol negotiation. This means that one can send UDP datagrams with spoofed source IPs, meaning that they craft UDP datagrams and, unlike the network driver who would typically put your own source IP into the datagram, their software uses some other source IP address. Because still there exist last mile ISPs who do not filter ingress traffic from their customers by source IP and do not drop all IP ranges on their routers that don't belong to this ISPs, according to the BCP 38, customers of such ISPs can send UDP datagrams with spoofed source IP.
The destination IP of such datagrams would be any UE3 servers. The issue with them is their responses are 700 times more voluminous in size packet wise and 900 times more voluminous byte wise. You can check it yourself, but using a simple command like netcat:
nc 5.161.149.88 -u 7779
replace the IP with your KF2 IP and 7779 with the port on which your KF2 server listens on. The command will listen for your input, press any key and then enter and then watch in awe how much garbage a KF2 server spits out in return to just 1 byte.
But because the source IP was spoofed, all this garbage, unlike in the "netcat" experiment, is going to be sent to the spoofed IP address. Which can be abused to focus the responses from thousands of UE3 servers on one single online business and take it offline by just fully saturating their internet connection.
Quick back of the napkin calcualtions. Suppose that your business has 1 Gbit/sec connection to the internet. Depending on how much useful traffic is going through this pipe, you need to generate something like 0.4Gbit/sec-0.99Gbit/sec of traffic from UE3 servers. Say, that we want to limit ourselves with sending only 50 spoofed IP datagrams to a single UE3 server so it doesn't crash too soon, which is totally realistic. In the worst attack on my servers I've seen 1700 requests per second, 50 is rather mild and wouldn't crash the server too fast. Assume 8 bits per byte. 1 response is amplified 700 times. In response to 50 requests we get 50 * 700 = 35000 bytes. Let's take 1KB=1000 bytes for simplicity and so on. That's 280 Kbit/sec. Thus, in order to saturate 1,000,000,000 (=1 Gbit/sec) pipe we would need 1,000,000,000 / 280,000 = 3571 server. It's easy to send 500 datagrams instead of 50, this way we would need only 357 servers to fully saturate the pipe.
Of course, if we go overboard, it's likely that the KF2 servers start locking up, crashing, lagging and such and their owners would either take them offline, or put behind firewalls, etc -- thus reducing your amplification factor. But if you keep it mild you can keep the intensity of the attack for a long time.
There are tens of thousands of UE3 servers out there.
We know for a fact, by just analyzing the spoofed source IP datagrams to which our KF2 servers send the traffic to, that mostly these are various cloud hosters, typically 2nd or 3rd grade, such as digital ocean, hetzner and such, sometimes even smaller ones. We know that they have some beef with Roblox, which is online gaming and they have been attacking their servers for years now.
As I mentioned, there are 2 ways to monetize these services, 1 is to charge other cybercriminals for the "stresser" service time and another to directly request ransom to be paid from their attacked victims, which happens in about 7% of cases, according to one of the CloudFlare DDoS reports.
This attack is called "amplification volumetric L3/L4 distributed denial of service" attack.
An infamous story about a very similar botnet from Brian Krebs: