Disney Lorcana online sales hit by “most aggressive” attack ever seen by queue provider

Disney Lorcana’s second set fumbled its digital launch earlier this week thanks to a Distributed Denial of Service (DDoS) attack that publisher Ravensburger is now attributing to a targeted attempt to disrupt the sale of Rise of the Floodborn directly to players.

Ravensburger originally confirmed the attack on November 20th, which left players stuck in queues for several hours and unable to purchase cards from Lorcana’s followup to The First Chapter before bots and scalpers emptied the digital shelves. The company has now followed up with its plans for addressing angry fans and their empty hands.

"We at Ravensburger understand the frustration with how yesterday's website launch went, and we are committed to ensuring that future web launches can be successful,” a Ravensburger representative told Dicebreaker via email. “In the short term, we will be reallocating Rise of the Floodborn item quantities to other channels to ensure that those products are purchasable during the holiday season. In the medium and long term, we are taking all steps necessary to define a clear roadmap to ensure our future website launches are successful."

Lorcana’s digital launch would have been players’ best opportunity to purchase booster packs, starter decks and other merchandise at MSRP ahead of Rise of the Floodborn's mass retail launch on December 1st, but Ravensburger’s website infrastructure seemed to buckle under the demand. Many players doubted claims that they weren’t prepared for the launch, blaming rickety cyber security and woefully unanticipated server strain due to Rise of the Floodborn’s sheer popularity.

Queue-Fair, the platform and queue provider hired by Ravensburger to handle the launch, begs to differ. In a statement posted to social media, the company said both its systems and Ravensburger’s were targeted by “the most aggressive DDoS attack we have seen”. The provided architecture was built to handle 25 times the number of “human beings” that joined Monday’s queue, and so Queue-Fair is placing the blame squarely at the feet of extremely determined bots.

“Our automatic network-level bot protections successfully thwarted over 95% of the almost 5 million bot traffic requests from reaching our servers, prevented bots from joining the queue, prevented booths from being passed from the front of the queue to the Ravensburger site, and ensured that the orders that were placed were from real fans, not bots and scalpers, as designed,” the statement reads. “It appears that the more measures we put in place to counter the traffic, the more aggressive the attack became.”

“However, the ramp up in scale of the attack shortly after the queue opened did temporarily overload the originally provisioned cluster, and it did take us longer than we would have liked to safely and securely move the human visitors to a larger cluster capable of showing pages to all visitors while the attack was ongoing. This did result in some visitors seeing an error page for several minutes while we migrated the traffic.”

Queue-fair claims the investigation into the attack continues, though neither the platform provider nor Ravensburger confirmed a likely culprit. Nor did the publisher comment on whether this attack was at all linked to the theft and public leaking of cards from Lorcana’s unpublished third set last week. The ultra-popular TCG remains hard to find as both hungry fans and aggressive scalpers scoop up cards faster than they can hit shelves. Ravensburger has promised a second printing of The First Chapter that won’t reach the UK and Europe until 2024, so this failed digital launch feels to many like salt in an open wound.

“Lessons have been learned and moving forward we will ensure that our system is deployed for Ravensburger in a manner that protects our clients’ webservers from DDoS attacks as well as our own, ensuring a fair, secure and smooth experience for all,” Queue-fair said.