I’ve raised this issue through the support ticket twice, got a generic response that does not offer any assistance so I’m raising it here, with the hope it will reach Epic’s infosec people.
The premise:
I’m streaming gameplay of my new creative island, playing with about ~15 of my viewers. Since the creative island is new, we are the only players online, with a single island session. Any new players joining from our region, will join our session as long as we are not at island max capacity.
The issue:
While streaming, user comes into chat informing that in a few seconds a DDOS attack is incoming on my ‘server’
As promised, after a few seconds, Fortnite in-game network monitor goes red, and all other players are ejected to the lobby.
This issue repeats several times.
It’s safe to assume the attack starts by some fortnite account joining the island session, gets the pod/server instance network info and clogs the network
That type of network traffic requires authentication and authorization, which means tracking down the Fortnite account that initiated the attack should be possible.
I also suggested providing the tiktok accounts behind the attack, if Epic wishes to pursue the attackers.
This is not a case where I am DDOSed, this is a case where Epic’s servers are being DDOSed and are rendered out of service - Which seems to be very simple to execute.
Epic’s Response:
Same response twice, report the player in game - I don’t know which specific Fortnite account is behind in the attack, and even if a user is blocked as a result of a report it would still be possible to break island sessions with extreme ease.
I’ve contacted Epic support, providing the time of attack and island information so they could investigate the attack which must be extremely common, my attackers are not sophisticated hackers, they are prepubescent script kiddies with an ‘off the shelf’ tool for breaking Fortnite island sessions.
Which begs the question - Is Epic Games Oblivious or Indifferent to creative island security?