A player-made PSA post on Reddit has garnered some semi-official response from Microsoft over a potential security issue.
The post warned other players about random party invites in Rainbow Six Siege, which recently showed up on Xbox Game Pass, indicating that doing so exposes the IP address of the player accepting the invite, potentially creating an opportunity for that player to be hit with a distributed denial-of-service (DDOS) attack.
In response, an engineer on the Xbox team, Bill Ridmann, responded that Microsoft was already in the process of working on eliminating that particular threat vector. “Hey all, we know this is a problem,” Ridmann wrote, “we are actually phasing out P2P voice connections for party chat completely which we’ve been working on quite a bit in the background to stop this very problem. We’ve been ramping up a larger percentage of parties to be completely server based week over week (so you don’t make direct connections to other party members so they can not see your IP) and soon should have no more P2P based parties. I’ve seen some concerns here as well related to parties and the mobile app – it’s always been the case if you’ve used the mobile app to join a party the party becomes server based and your phone’s IP is never exposed to others.”
Food For Thought
While eliminating exposure of IP addresses is usually a good thing, it potentially shifts the burden of threat vector from players to Microsoft itself, since one player getting hit with a DDOS attack is an annoyance, but a thousand or more is a problem. In theory, Microsoft is reasonably well hardened against that sort of attack. However, as previous DDOS attacks on the PlayStation Network have demonstrated, size and technical proficiency are no guarantee of absolute security against a sufficiently determined attacker.
