Merge disconnects then proceeds to sign players into other players accounts

[Dan Druff]

According to that 2+2 thread I linked, he is likely from Spain, not Sweden. Sweden seems to be a cover, for whatever reason.

The disturbing thing here is that it appears he's found a way to DDoS the entire Merge network, rather than just individual players as he did on Stars and elsewhere.

This shows that Merge is particularly vulnerable to such an attack, while the other sites likely aren't.

Watch Merge worm out of this one, regarding compensating anyone beyond whatever funds they can seized from his account.

[Dan Druff]

Well I just tried to go onto Carbon to see if any games were running, and noticed that my dormant-since-2011 account has disappeared.

Like, the account is completely gone.

Weird.

Anyway, I made a junk account (which doesn't let you finish the creation process without a deposit, lol). I aborted the deposit thing and was able to log in.

Games are running again.

[vookenmeister]

Saw a tweet from @wafoxen showing a jack of spades in his hand and same card on board. Visually it gave him a flush. On the display it said K high

I assume this is the previously known disconnect bug where old cards are displayed when you reconnect? What a mess. Combine that with DDOS and yikes!

[Sanlmar]

Personally, I think the focus on this player and his DDOS scheme is misplaced. Players will attempt to cheat. That's just real world. I will be disappointed if Druff chooses to spend more energy with the sexy story about some kid on the nick.

That Merge has no plan to react and protect their honest customers is more important.

I dunno, after the 10th disconnect, maybe suspend the tournaments and cash games and broadcast a message. Today wasn't even their first attack and it was responded to in the same small time way.

Is this site run out of some guy's bedroom?

All these clowns provide is software and servers. They don't do that very well.

I guarantee the worthless poker media outlets will get all caught up in the micro-issue of who the kid is and utterly fail to challenge Merge concerning their response during the attack.

Calvinayre.com might get it right. We will see.

[Dan Druff]

Personally, I think the focus on this player and his DDOS scheme is misplaced. Players will attempt to cheat. That's just real world. I will be disappointed if Druff chooses to spend more energy with the sexy story about some kid on the nick.

That Merge has no plan to react and protect their honest customers is more important.

I dunno, after the 10th disconnect, maybe suspend the tournaments and cash games and broadcast a message. Today wasn't even their first attack and it was responded to in the same small time way.

Is this site run out of some guy's bedroom?

All these clowns provide is software and servers. They don't do that very well.

I guarantee the worthless poker media outlets will get all caught up in the micro-issue of who the kid is and utterly fail to challenge Merge concerning their response during the attack.

Calvinayre.com might get it right. We will see.

I agree that the bigger issue here is Merge's handling of the situation (and their major vulnerability in the first place), rather than the exact identity of some Eurotrash scumbag who perpetrated the cheat.

I have heard that Merge gave people equity credit in tournaments during the most recent crashes. Well, that's nice, I guess, but it's no skin off their ass. It doesn't cost them anything to take the existing prize pool and divide it up based upon the chip counts of the remaining participants. That's not "making things right", but rather avoiding screwing affected players further.

If anything, this has exposed that Merge security is a joke, and their software is vulnerable to a lot more than people previously thought. Keep in mind that even PFA now has protection against DoS attacks.

And that's one other thing. People like to refer to DDoS in situations like these, but I am guessing that this situation was just a DoS. A DDoS is a distributed denial of service attack, meaning that a large number of machines are attacking at once. A DoS attack comes from a single source. While it's possible that this dude grabbed some "zombie" machines to assist him in taking Merge down, his previous antics on Stars would indicate that he's just using his own machine. That's how bad Merge's system might be -- to where one guy hammering their server with repeated requests from a single source could crash the whole thing, and in some cases make it go haywire when it comes back up.

Merge owes the community some real answers, but we all know that we won't get them.

[vookenmeister]

Good point. It's DOS not DDoS. Even worse I might be a specially crafted packet causing services to restart. Im curious to know more but agree the bigger story is the reaction by merge now and next time.

[Sanlmar]

I agree that the bigger issue here is Merge's handling of the situation (and their major vulnerability in the first place), rather than the exact identity of some Eurotrash scumbag who perpetrated the cheat.

The bigger issue here is Merge's handling DURING the situation

Again, shut things down & send out broadcast message. Protect their customers.

Was anyone present at Merge during attack?

What they do after is as you say, "no skin off their teeth". That is not the story at all.

You talk about equity chops, Druff. You forget cash games entirely.

[Mantis Toboggan]

I agree the focus should be on Merge, not the culprit.

I wonder if we'll even get an official statement from them, i'm not going to hold my breath.

[Dan Druff]

Notice the cheater in the SB.

Also LOL @ the name "SpeweyLewis".

[glide234]

http://forumserver.twoplustwo.com/sh...ostcount=10998

This is a good post to start reading from...

Cliffs are player would build a pot and then make a bet and the site would disconnect. After I was aware of this I opened the players table and witnessed if first hand within a couple of minutes.

I believe after a while they logged this player out and the tourney then ran smooth for a while. Eventually they cancelled the tourneys and everyone was refunded quickly with ICM considerations.

This is the information I have on the issue, I was on other sites so I only know info from the other players and the thread.

I believe the player was doing a DoS attack on the server (this is just my speculation)

Another relevant post

http://forumserver.twoplustwo.com/sh...ostcount=11009

[glide234]

Here is the actual thread. I didn't see originally.

http://forumserver.twoplustwo.com/29...merge-1494272/

[HowQuaint]

There is a lot more to this story IMO. We've been working on it since before this incident at Merge. It is not localized to Merge in any way shape or form. I'll post the story on PFA once we get it finished up...

[Daniel72]

Sick stuff indeed...

http://www.cardschat.com/news/8692ca...dos-cheat-8692

http://www.parttimepoker.com/ddos-po...he-digital-age

[Dan Druff]

There is a lot more to this story IMO. We've been working on it since before this incident at Merge. It is not localized to Merge in any way shape or form. I'll post the story on PFA once we get it finished up...

Would appreciate any updates you might have on the matter.

I agree that it's not likely localized to Merge, though Merge was particularly vulnerable to this sort of attack. Also, their response to the matter was poor, both during and after.

I think it's clear that this is a serial cheater across many sites who uses DoS attacks to force disconnects and win pots.

[Sanlmar]

Sick stuff indeed...

http://www.cardschat.com/news/8692ca...dos-cheat-8692

http://www.parttimepoker.com/ddos-po...he-digital-age

Yup, both these worthless rags fail to question the manner and speed in which Merge responded to the cheating/attack.

Average user figured it out faster than the site.

Poker press is so lame.

[Dan Druff]

Bovada lost connection for me and everyone else twice in the past 8 hours.

I wonder if it's related. Came back pretty fast though.

[HowQuaint]

Bovada lost connection for me and everyone else twice in the past 8 hours.

I wonder if it's related. Came back pretty fast though.

Possibly so. Here is our article Todd. We spoke to a number of the affected poker sites, unquoted obviously, and this is our report and speculation.

http://professionalrakeback.com/cybe...ound-the-world

[vookenmeister]

scary shit indeed.

However, DDOS in general is extremely hard to stop. If they are being systematically attacked (as opposed to temporarily throttled for personal financial gain), I'm impressed the sites are only going down for a couple minutes. I think the only real way of mitigating a coordinated DDOS attack is hosting your services with something like Cloudfare or Akamai (distributed front end protection) and pay for them to deal with it. Even with that it seems like Akamai would still need to have more bandwidth than the attackers to completely prevent a general flood (though this would help protect against crafted packets). It's pretty easy to solicit a bunch of geographically disperse robots. Even automated tools that potentially blackhole routes/ASA numbers take a little time to implement and converge. I don't see how you can avoid some kind of delay.

This is the kind of crap that keeps me up at night in regards to my day job. A sophisticated foe with financial motivation and a lack of accountability is tough to stop.

Here is a link to an Akamai brief. http://www.akamai.com/html/solutions/site-defender.html

The issue with the one user on Merge Sunday night seemed way to coincidental over and over again. That appeared to be focused solely on DOS for that user's benefit. I guess it is possible there are multiple parties attacking or that individual was a subset.

To be frank, this sux. operating a business becomes more and more painful. And the depth of our security issues have only begun. brace yourself.

Anybody know what the normal downtime period has been for these attacks? couple minutes? more? less?

NOTE: I am not an expert. I am thinking out loud here.

[Dan Druff]

Bovada lost connection for me and everyone else twice in the past 8 hours.

I wonder if it's related. Came back pretty fast though.

Possibly so. Here is our article Todd. We spoke to a number of the affected poker sites, unquoted obviously, and this is our report and speculation.

http://professionalrakeback.com/cybe...ound-the-world

Interesting report.

I agree with your assessment that it is unlikely the US government perpetrating this, as they would not be also attacking non-US-facing sites like Full Tilt.

Also, if the US was behind it, there wouldn't have been a single player benefiting from the disconnections like was discovered on Merge.

I still believe that this is a cheating plot. You mentioned in your article that the cheating didn't make sense because the player was unlikely to get away with it, but I disagree. This is EASILY something you could get away with, if done with subtlety. Just as with the AP/UB scandal, where that cheating also could have gone undetected, subtlety never seems to be the strong suit when it comes to poker cheaters.

I disagree with your heaping praise upon Merge's handling of the situation. Among other things, they dropped the ball BIG TIME by not properly investigating it on November 23rd and figuring out what they were dealing with. They were also poor at both communicating with affected players and compensating them properly. Paying out equity from midway-canceled tournaments is not "making things right", as it's just a different distribution of existing player pool funds. It's no skin off their ass to do this.

I also wonder if the minor disconnection issues experienced by Bodog, Full Tilt, and others are some sort of "test run" being done by the cheaters, with more to come later.

[HowQuaint]

The scale of these attacks are massive... You seem to think that these things can be solved in 5 minutes of investigation, and that simply isn't the case. I am personally coordinating with a number of sites trying to crack this case.