The Field Guide

Lobby crashing, untangled

One phrase hides three different problems. A crash bug, a sold cheat that drops a whole lobby, and the remote-code flaws that have taken entire games offline are not the same thing. Here is how to tell them apart, where they are happening now, and what actually stops them.

Search “crashing lobbies” in any popular shooter and you get a wall of theories. Almost all of the confusion comes from one thing: three separate problems wear the same name.

Untangle them and the picture gets simple, and the fixes get obvious.

01

Three things wearing one name

When players say a lobby got “crashed,” they usually mean one of three different events, and the difference is everything.

The first is a bug. Games crash on their own, especially at launch, and a crash that costs you progress feels like an attack even when nobody attacked you. The second is a sold cheat feature. Commercial cheat sellers have openly advertised one-click tools that drop an entire lobby, pure disruption with nothing to win. The third, and the most serious, is a security flaw: a hole in the game's own code that lets a stranger crash the server, flood your connection, or in the worst cases run their own code on your machine.

A bug costs you a match. A security flaw can cost you your machine. The same three words get used for both.

02

The severity ladder

The cleanest way to read any “crash” story is to ask one question: what is actually harmed? That sorts every incident onto four rungs, from a spoiled match to a compromised computer. The fill rises with what is at stake. The colour is the reach, never a verdict about a person.

I · your match
Client crash
A malformed packet or game state crashes your own game and drops you out.
Usually a nuisance, or a momentary edge for whoever caused it.
II · the lobby
Host or server crash
A crafted input crashes the match host or server, ending it for everyone in it.
The whole lobby goes down. In an extraction mode, that can mean lost gear.
III · your connection
Network flood (DDoS)
Raw traffic overwhelms a player or a service. No flaw in the game is needed at all.
You, or everyone, knocked offline for as long as the traffic lasts.
IV · your machine
Remote code execution
A crafted packet or piece of content runs the attacker's code on your computer.
The reach extends to the machine itself, not only the match.

Most “I got crashed” stories live on the bottom two rungs. The headlines that take a game offline live on the top one. Press and forums collapse all four into the single word “DDoS,” which is why the same event gets described five different ways. Keep the ladder in mind and the noise falls away.

03

The same pattern, across very different games

Put the biggest titles side by side and the same handful of shapes keep recurring. What predicts them is not a game's size or how popular it is but how it connects players, the through-line the last entry below makes plain. A curated sample from the public record, each documented by a security firm, a CVE, or mainstream reporting:

  • Call of Duty2023 · cheat menu + worm

    A commercial cheat seller advertised a one-click “crash server” toggle that dropped an entire Warzone 2.0 lobby. Separately, the original Modern Warfare 2 (2009) was pulled offline in 2023 after a self-spreading worm exploited years-old netcode, and the same class of flaw recurred in Call of Duty: WWII in 2025.

  • Grand Theft Auto OnlineCVE-2023-24059

    A flaw in the game's peer-to-peer sessions let an attacker corrupt accounts, drain in-game money, and achieve partial remote code execution against players, even ones outside the attacker's own lobby. Rockstar shipped a security update weeks later.

  • Dark Souls III & Elden RingCVE-2022-24126

    A remote-code flaw in the games' player-versus-player code let a connecting player run code on another player's PC. FromSoftware took the Dark Souls PC servers offline for over three months, restoring them only once the fix shipped alongside Elden Ring.

  • Minecraft: Java EditionCVE-2021-44228 · Log4Shell

    A crafted chat message could trigger remote code execution through the Log4j logging library, the landmark case where a game's chat box opened onto the wider internet. Mojang shipped an emergency patch within a day.

  • Dota 2CVE-2021-38003

    Attacker-published custom game modes abused an old, unsandboxed scripting-engine flaw to run code on players' machines, including a small backdoor. Valve patched the engine and notified the affected players.

  • Counter-Strike (Source engine)2021 · Steam invites

    Memory-corruption flaws meant that a crafted Steam game invitation, or connecting to a malicious community server, could run code on the recipient's machine. Valve patched after researchers disclosed it.

  • The Cycle: Frontier2023 · shut down

    The extraction shooter closed permanently after the studio said an early flood of cheaters drove players away for good. The clearest case of cheating ending a game outright.

  • Esports & whole servicesDDoS · 2015–2025

    No game bug required, just floods. League of Legends' LCK ran pre-recorded broadcasts and built an isolated offline server after a 2024 DDoS campaign; Dota 2's The International was halted by one in 2015; and entire services have dropped, including Destiny 2, Battle.net, Final Fantasy XIV, and a large suspected attack on Steam and Riot in October 2025.

  • Fortnitethe control

    The instructive exception. Fortnite runs on authoritative dedicated servers, not peer hosting, and has no comparable host-crash or malicious-host code-execution on record. Its documented troubles are service-level DDoS and account theft. The architecture is the variable, not the size of the game.

04

Why it happens at all

Nearly every entry above comes back to one of two root causes, and Fortnite's absence from the list points straight at them.

The first is peer-to-peer hosting. In many games your machine, or another player's, runs the match instead of a server the publisher owns. That has two consequences. Everyone in the session can see everyone else's real IP address, which is all an attacker needs to flood you offline. And because your machine is processing strangers' traffic as if it were a server, any flaw in that networking code is reachable by anyone in the lobby. Your PC becomes the attack surface.

The second is code that trusts input it should not. The classic game vulnerability is a packet parser that copies attacker-controlled data into a fixed-size buffer without first checking the length. The Modern Warfare 2 server flaw (CVE-2018-10718) was exactly this: a missing bounds check in a decompression routine inherited from a decades-old engine. The same shape appears wherever a game accepts untrusted content it did not validate, a chat string, a custom game mode, a downloaded resource pack, a Steam invite.

The client is trusted with too much, or the network is left exposed. Almost every fix below is one of those two sentences, reversed.

05

How your game protects you

Architecture is the variable, so the useful question is a personal one: where does the game you play sit? Here is a sample, grouped by how the match is hosted, most protected first. Each one links to its full plate in the guide.

Relayed

Traffic runs through the publisher's backbone, so your address is never exposed to other players, and a flood hits the relay network instead of your connection. The strongest of the three.

Dedicated

The publisher hosts the match on its own servers, so no player's machine is the host and there is no peer to crash or flood. The model most competitive games have moved to.

Peer-hosted

A player's machine hosts the match. It is cheaper to run, but addresses are visible to the session and the host can be reached directly. This is where the exposure in the record above lives.

A game can run more than one model (matchmaking on relays, custom games peer-hosted), so each is listed by its default competitive mode, and models do change. Dead by Daylight moved off peer-to-peer in 2020, which is the direction the whole field has been heading.

06

What actually stops it

These defenses are well understood, and several are available off the shelf. Each one has been deployed by a real publisher with a real result.

1 Run the match on dedicated, authoritative servers

The publisher hosts the game, so no player's machine is a host to crash and no one can harvest your address from the session.

Example. Ubisoft moved For Honor off peer-to-peer to dedicated servers in 2018, ending the host-migration disruptions players had fought for a year.

2 Route traffic through a relay that hides player IPs

All traffic flows through the publisher's backbone, so real addresses are never revealed and floods hit the relay network, not a bedroom PC.

Example. Valve's Steam Datagram Relay, used in Counter-Strike and Dota 2, states plainly that “IP addresses are never revealed” and all traffic is “authenticated, encrypted, and rate-limited.”

3 Trust the server, never the client

The server holds the true game state and treats every packet as untrusted input to be validated. A client asks to move; it does not get to declare where it is. Impossible or malformed inputs are rejected instead of corrupting the match.

The practice. Standard guidance in modern netcode stacks (for example, Unity's networking docs warn that client messages come from “never to be trusted sources”). It is the single biggest defense against crash and exploit packets.

4 Harden and fuzz the netcode

Bounds-check every copy and decompression, and feed the packet handlers malformed input until they break, then fix what breaks.

Example. The Modern Warfare 2 server vulnerability (CVE-2018-10718) was a single missing length check. The fix was one line. The reason it lived for years is that nobody fuzzed the handler.

5 Put a scrubbing network in front of the servers

Absorb and filter volumetric floods at the edge, near their source, before they ever reach the game.

Example. CCP Games adopted Cloudflare's network to defend EVE Online while it was under active attack.

6 Pay researchers, and honor the reports

A bug-bounty channel turns “a stranger found a hole” into “a stranger reported a hole and we patched it.”

Example. Rockstar reports 150+ vulnerabilities closed and $85,000+ paid; Valve over $675,000 across roughly 500 issues. The cautionary half: when a publisher once dismissed a valid report and banned the researcher, he went public, which is the worse outcome.

7 Do not abandon old games

Vulnerable netcode does not age out. As long as the servers are up and people still play, the hole is live, and you still have an obligation to patch it.

Example. The original Modern Warfare 2 (2009) sat exploitable for years until a 2023 worm forced it offline.

07

So why is it not already fixed?

If the defenses are this well known, the obvious question is why every game does not use them. The honest answer is rarely ignorance of the fix. It is cost and incentive.

Peer-to-peer is nearly free for a publisher, because players supply the computers and the bandwidth. Dedicated servers are a recurring bill that grows with the playerbase and never goes away. Relays can add a network hop, though Valve's own data says they often improve ping by finding a better route. And patching a fourteen-year-old game generates almost no revenue, so the work that protects those players is pure cost with no commercial upside. For Honor only moved off peer-to-peer after the reputational damage finally outweighed the server bill.

The fix is rarely unknown. The gating factor is whether the publisher decides players are worth the line item.

How this entry is written

The Field Guide describes the public record. It does not condemn a person, and it is not a manual.

  • The record, not an accusation. Every incident here is named because a security firm, a CVE, or mainstream reporting documented it. We point at that record and stop.
  • A reference, never a how-to. We describe a vulnerability the way a security advisory does: the class of flaw and its effect. We never explain how to reproduce one.
  • Confirmed kept apart from rumor. Where a mechanism or motive was never established in public (the exact way a cheat crashed a lobby, for one), we say so rather than guess.
The practical thing
If you play
Prefer games and modes on dedicated or relayed servers; your IP is not exposed to opponents there. Do not share your address through a screen-share or a third-party voice tool mid-match. And know that a sudden disconnect right as you are winning a high-stakes round is a recognized griefing pattern, not always “bad internet.” The booter services that sell those floods are illegal to use, not only to run; international takedowns have been identifying their customers, not just their operators.
If you build
The strongest defenses are available today: relays that hide player IPs, managed dedicated hosting with built-in DDoS protection, edge scrubbing, and a real, honored bug-bounty program. The hard part is the decision, not the technology.

Want to see how a single game's trust ask and anti-cheat stack up? Each game in the guide has its own plate. Browse the games or read what the Field Guide is.

Sources
  • Grand Theft Auto Online, partial RCE and account corruption (CVE-2023-24059): NVD · BleepingComputer
  • Dark Souls / Elden Ring PvP RCE, servers offline (CVE-2022-24126): Flashpoint
  • Minecraft, Log4Shell chat-triggered RCE (CVE-2021-44228): BleepingComputer
  • Dota 2, malicious custom modes (CVE-2021-38003): Avast / Gen Digital
  • Counter-Strike / Source engine, Steam-invite and malicious-server RCE: BleepingComputer
  • Original Modern Warfare 2 (2009) self-spreading worm, taken offline: PC Gamer · netcode root cause (CVE-2018-10718): NVD
  • The Cycle: Frontier shut down after cheaters: Game Developer
  • Esports and service DDoS (LCK 2024): ONE Esports
  • Steam Datagram Relay (IP-hiding, rate-limited relay): Steamworks
  • For Honor moved to dedicated servers: Ubisoft
  • Edge DDoS mitigation, EVE Online case: Cloudflare
  • Bug-bounty programs: Valve on HackerOne
Cite this entry

Vera Project. “Lobby crashing, untangled.” Vera Field Guide (Field Note). The Vera Project. https://www.veraproject.xyz/field-guide/lobby-crashing