Back to Blog

The Evidence Problem in Competitive Gaming

A match server goes unresponsive during the deciding round of a tournament semifinal. Both teams disconnect. The broadcast cuts to a holding screen. Chat fills with accusations. One team claims they were winning and the disruption cost them the match. The other team claims the server was already unstable. The tournament organizer needs to make a ruling, and every outcome will be contested.

Without forensic evidence, the organizer is guessing. Was it a DDoS attack? A server-side crash? A network routing issue at the datacenter? A misconfigured firewall rule that dropped player connections? Each of these has a different implication for how the match should be resolved, and each requires different evidence to confirm.

This is the core problem that packet captures solve. A PCAP file is a complete, timestamped record of every packet that arrived at or departed from the server's network interface. It does not interpret or summarize. It records. And that record provides the objective evidence needed to determine exactly what happened, when, and from where.

What Packet Captures Reveal About DDoS Attacks

A packet capture during a DDoS attack contains several categories of forensically useful information. Understanding what to look for transforms a raw PCAP file from an opaque binary blob into actionable evidence.

Source IPs and Geographic Distribution

Legitimate game traffic comes from a known set of player IPs, typically 10 to 20 per match. During a DDoS attack, the PCAP will show traffic from hundreds or thousands of source IPs that do not correspond to any player connection. The geographic distribution of these IPs often reveals the attack infrastructure: a botnet will show sources scattered across dozens of countries, while an amplification attack will show sources concentrated at known reflector locations (DNS resolvers, NTP servers, or memcached instances).

Attack Vectors and Protocol Breakdown

The PCAP reveals exactly which protocols and ports the attack traffic uses. A UDP flood on port 27015 (the game port) looks different from a DNS amplification attack arriving on port 53. A SYN flood targeting the server's management port looks different from an HTTP flood targeting a web panel. Each vector has distinct packet-level signatures that are unambiguous in a capture: source ports, packet sizes, payload patterns, TCP flag combinations, and protocol-specific fields.

# Example: identifying attack vectors in a PCAP
# using tshark (Wireshark CLI)

# Count packets by protocol during the incident window
tshark -r match-incident.pcap \
  -Y "frame.time >= \"2026-06-05 14:32:00\" && frame.time <= \"2026-06-05 14:33:00\"" \
  -T fields -e ip.proto | sort | uniq -c | sort -rn

# Result during a typical esports DDoS:
#  847291  17  (UDP - attack traffic)
#    3842  6   (TCP - normal game/player traffic)
#      17  1   (ICMP - incidental)

Timing Correlation

One of the most powerful forensic capabilities of PCAP analysis is precise timing correlation. The capture timestamps show the exact moment attack traffic began, the exact moment server performance degraded (visible as increased game packet retransmissions or latency in the legitimate player traffic), and the exact moment players disconnected. This timeline proves whether the network anomaly caused the gameplay disruption or whether the two events were coincidental.

Timing evidence is particularly important when the disruption is brief. A 5-second latency spike during a critical moment might look like normal network jitter in server logs. The PCAP shows whether that 5-second window coincided with a burst of anomalous inbound traffic that had no business being on the wire.

Using PCAP Evidence in Match Protests

When a team files a protest after a disrupted match, the tournament organizer's ruling process should follow a structured evidence review. The PCAP provides the technical foundation for that review.

  1. Confirm the disruption was caused by external attack traffic. Analyze the PCAP to determine whether inbound traffic during the incident window contained anomalous volumes, protocols, or source patterns inconsistent with legitimate player traffic. If the answer is no, the disruption had a different cause (server issue, routing problem) and the protest is evaluated on different grounds.
  2. Establish the timeline. Determine when the attack started, when it affected gameplay, and when it ended. Correlate with game server logs to identify the exact moments when player connections were degraded or dropped.
  3. Assess the impact on match state. Using the timeline, determine whether the attack affected the match during a competitively significant moment (active round, objective contest, economy round) or during a neutral period (warmup, timeout, between rounds).
  4. Rule based on evidence. With the attack confirmed, the timeline established, and the competitive impact assessed, the organizer can make a defensible ruling: replay the affected round, restart the match, let the result stand, or apply a different remedy based on the event's rulebook.

This process transforms the ruling from an opinion into a finding of fact. Teams may disagree with the remedy, but they cannot dispute the evidence that an attack occurred when the PCAP clearly shows it.

Building Incident Reports for Sponsors and Leagues

Tournament sponsors and league organizations need to understand security incidents, but they do not need to read raw packet captures. The forensic report bridges this gap by translating PCAP evidence into a structured document that non-technical stakeholders can evaluate.

An effective incident report for sponsors should include:

  • Executive summary: What happened, when, and what the impact was on the broadcast and competition. One paragraph, no jargon.
  • Attack classification: The type of attack (volumetric UDP flood, amplification, application-layer), peak traffic volume, and duration. Derived directly from PCAP analysis.
  • Response timeline: When the attack was detected, when mitigation was deployed, and when normal service was restored. This demonstrates operational competence.
  • Impact assessment: Which matches were affected, the total downtime or degraded performance duration, and any competitive integrity implications (match replays, delayed rounds).
  • Preventive measures: What changes are being implemented to prevent recurrence. This is what sponsors care about most: that the next event will not have the same problem.

For league organizations that govern multiple tournament operators, standardized incident reporting creates a body of threat intelligence. Attack patterns, timing, and infrastructure can be correlated across events to identify repeat offenders or emerging threat trends.

Legal Considerations

DDoS attacks are criminal offenses in most jurisdictions. In the United States, they violate the Computer Fraud and Abuse Act (CFAA). In the EU, the Directive on Attacks Against Information Systems provides similar criminal penalties. In the UK, the Computer Misuse Act covers DDoS as unauthorized interference with a computer system.

PCAP evidence is critical if a tournament organizer decides to pursue legal action or refer the incident to law enforcement. Raw packet captures are among the strongest forms of digital evidence because they are complete and contemporaneous records that have not been filtered, summarized, or interpreted by any system. They show exactly what the network received, byte by byte.

For legal proceedings, maintain chain of custody for PCAP files. Store captures on write-once media or in tamper-evident storage with cryptographic hashes. Document who collected the capture, when, from which interface, and using what tool. These procedural details matter in court and can determine whether the evidence is admissible.

PCAP captures are not just operational tools. They are legal evidence. Treat them with the same chain-of-custody discipline you would apply to any evidence you might present in court or to law enforcement.

Automating Forensic Capture for Every Match

The value of PCAP evidence depends entirely on having it when you need it. If you only start capturing packets after you suspect an attack, you have already missed the critical first seconds that show the attack onset and the transition from normal to anomalous traffic.

The solution is continuous capture on every match server for the duration of every match. Modern agents can run rolling packet captures that consume minimal disk space (capturing headers only, or using BPF filters to exclude game payload data while retaining protocol metadata) and automatically preserve the capture window surrounding any detected anomaly. When no anomaly occurs, the rolling buffer overwrites itself and no storage accumulates. When an attack is detected, the buffer is frozen and the capture continues until the incident ends, producing a complete forensic record with no manual intervention.

Automatic PCAP forensics for every match. Flowtriq captures packet data continuously on every monitored node and automatically preserves full captures when an attack is detected. No manual intervention required. See how esports platforms use this for match integrity at /use-cases/esports-platforms, or start your free trial to deploy forensic-grade monitoring on your tournament servers.

Back to Blog

Related Articles

Fundamentals

DDoS protection for esports tournaments: keeping matches online

Why esports events are prime DDoS targets and why sub-second detection is the only solution for live play.
Mitigations

How esports organizers can prevent DDoS attacks on tournament servers

Pre-tournament security checklist, per-match monitoring, and auto-mitigation that preserves latency.
Forensics

PCAP analysis for DDoS forensics

Deep-dive into using packet captures to analyze, classify, and document DDoS attacks.