Subscribe to Blog Updates

Hacker Group ‘PoodleCorp’ Claim DDoS Attack Took Pokémon Go Servers Offline

Posted: 22-Jul-2016 15:14:28
Author: Aaron Pickett


Unless you’ve been living under a rock, or far out at sea, it must be impossible for you to have failed to notice the amazing rise to success of Pokémon Go. Within days Nintendo’s share prices rocketed, and the craze has turned out children and adults alike, walking the streets like mobile-holding zombies. Of course, it was not long until someone wanted to spoil the fun – casting millions back into their homes to hide away from the mid-summer heat.

Taking responsibility for the recent attack on the Pokémon Go servers was a hacking group known as ‘PoodleCorp’. Although it should be noted that this hacking group’s claims have not been verified, the news of the servers being down made the headlines, with the Independent, BBC News and other sources declaring that a DDoS attack was to blame for the lack of Pokémon Go on Saturday 16th July.

For those who detest the new craze, don’t worry; although the analogy continues, we stop talking about the gaming parts of the application here. We regularly see claims of DDoS attacks in the news; large UK-based bank HSBC was attacked in July; PlayStation and Xbox both found their gaming networks attacked and Anonymous have claimed responsibility for attacks on Zimbabwe government websites. But still, what does this all this mean and is it really hacking?

A Distributed Denial of Service (DDoS) Attack is a tried-and-tested technique that an attacker can use to disrupt a network – sometimes as a decoy from other attacks (known as ‘dark DDoS’), sometimes to break or ‘take down’ a server, and sometimes to stop legitimate users from connecting simply from malice. Whilst a DDoS Attack requires no real ‘hacking’ on a server, it does require hundreds of thousands of devices (usually hacked themselves) to launch the attack, as can be seen in the example below.


As the figure above shows, an average use of Pokémon Go is for users (potentially in the millions) to send an internet signal to their nearest cell tower, where it is directed across the internet to the Pokémon Go servers (or server, in this illustration). Although I do not know the true amount, the app is likely to send and receive a message every few seconds, to limit the amount of traffic that the servers are required to deal with. This may slow down if many users are trying to play the game online, but realistically only a small portion of the app’s user base is likely to be online at any one time.

While there may be some adjustment time at the beginning as the application developers adjust the servers to meet the required demand, the outcome usually results in a stable service. However, a DDoS Attack is designed to disrupt this service. By communicating with machines in a giant network of hacked devices, the largest of which is known to be approximately 450,000 machines in size, and telling each to send hundreds of signals each second to the server, the abnormal load would mean the server would have an ever-larger backlog as it is unable to deal with the requests fast enough. Eventually, the server may be physically damaged, or simply go offline.

To give an (unrealistic in terms of scale) example, if everyone in a 60-seater bus were on the Pokémon Go servers and each sent a signal to the server every twenty seconds, the server would have to deal with approximately 3 responses each second. The server would happily respond to these with minimal delay and players could continue to play. If, however, the bus pulled up next to a Pokémon convention with 1000 players playing, the sudden jump to 53 required responses per second requires more computing power. Imagine this on a magnified scale, where the results could be catastrophic as the server is unable to cope with the demand, rejecting legitimate traffic to try to slow down the bombardment of traffic where it is unable to tell legitimate and malicious traffic apart.


For businesses, the outcome of this could be lost business for a day, a week, a month – for as long as it takes for the attack to stop or for better hardware to be installed to cope with the huge increase in demand. Email servers and web servers are among the most targeted, but the attack provides an easy way to hold a company to ransom, especially those that rely on internet traffic.

Share this article

facebook-yellow.png    twitter-yellow.png    Linkedin-yellow.png    pinterest-yellow.png    google-yellow.png