Blizzard said on Sunday afternoon that performance issues with its games and the service formerly known as Battle.net were caused by distributed-denial of service (DDoS) attacks. The barrage caused login issues for many players, kicked some out of games they were already playing, and otherwise hindered efforts to enjoy a weekend afternoon in front of a computer screen. (With Blizzard's games, anyway.)
DDoS attacks have become increasingly common over the last year. A massive Internet of Things-powered attack on the Dyn domain name service brought down many popular sites, such as Spotify and Twitter, in October 2016. Just a few weeks ago, Square Enix said Final Fantasy XIV was targeted. Now it appears someone wanted to bring down Overwatch, Heroes of the Storm, and other titles using the same type of attack.
The attack made it all but impossible for people to play these games. One person shared a screenshot from Blizzard's app showing a 1,263 minute wait time to sign in to the Blizzard app. Other players took to Reddit to complain about estimated wait times between 230-1,300 minutes. Blizzard resolved the problem in two hours, so nobody actually had to wait that long, but the estimates help show the scope of this attack.
Blizzard said it also had problems with using PayPal as a payment option; those issues were resolved within a few minutes. It's not clear if this was a result of the DDoS attack or if it was just a technical failure that happened to coincide with the attack. (We'd put our money on the former.)
This attack highlights just how vulnerable online games—and online services in general—can be to attacks that are pretty easy to pull off. Anyone can buy malware to create their own bot army, and they can also "rent" devices that have already been compromised to conduct DDoS attacks. Billion-dollar games and services can be brought down by someone willing to spend a few minutes with Google and a few dollars on an attack.
It seems like companies will have to plan for this inevitability whenever their games would make particularly good targets. Square Enix had recently released an expansion for Final Fantasy XIV when it was targeted, for example, and the second annual Summer Games are currently going on in Overwatch. The attacks also occurred during the Overwatch World Cup group stage in Los Angeles. There was no chance of the attack sabotaging the event—tournaments are locally hosted—but the attackers might not have known that when they targeted Blizzard.
Attacks like this are only going to become more common. Popular online games are too tempting a target for people to pass up, and until the devices used to power these DDoS attacks are secured, very little stands in the way of wannabe attackers who want to ruin other people's fun. For companies like Blizzard and Square Enix, fending off massive attacks (all while handling other technical issues) will just become the norm.
I will also hazard that it's difficult to track/find the command and control of an established botnet because the traffic required to control a botnet vs that which can be generated by a botnet is very small, and anybody worth their salt will also use a (probably dedicated) subnet of compromised machines to do all the heavy lifting and keep everything at several removes from the actual human controller(s).