I am an avid Sim racer, i enjoy both engaging in races and also watching the big events. Ive watched it for many years and have been sim racing myself for longer. I tend to stick to iRacing and ACC mainly, but dabble in most of the sims occasionally.
But thats enough about me, there needs to be some discussion around what happened technically over the previous weekend in the “Le Mans Virtual 24 hours”. I dont have any additional context as to what happened, nor do i have any information that is not publically available either im just basing this on my techinical knowledge along with also trying to clear up (in my opinion) what could be have been done better. Im also not too interested in the Max Verstappen incident (though to be honest, that only came about because of this platform).
So, who are “Motorsport Games”? Well according to their investors website they are:
Motorsport Games, a Motorsport Network company, is a leading racing game developer, publisher and esports ecosystem provider of official motorsport racing series throughout the world.
What this means to you and me is that they buy up development studios and then then buy the rights to certain events and run those events on their platform. At the moment, Motorsport Games owns rFactor2 and Kartkraft. They also currently have the licenses “Le mans virtual”, “BTTC”, “Nascar” and “Indy car” (im not even going to touch that debacle…).
Its been a bit of a mystery how Motorsport Games are able to afford all these license deals considering the recent dramas surrounding them. Firstly, in december of 2022, four out of five of the board of directors stood down due to a “funding dispute”.
Before i go on discussing more technical aspects of this event, there are couple of things that i need to get off my chest about this event in general. The Good:
The Broadcasting: It was pretty good - i enjoyed the commentary and feel the commentators did a good job keeping it going during the huge periods of downtime (around 3 hours total i believe). Im sure it was really difficult to fill that time with fluff.
The bad: Exclusivity: This really sucked. Real world racing is ridiculously expensive. A drive in a GT3 car as a pay driver is going to be £100,000’s thats even if you can get the chance! So we have sim-racing. We get to drive these amazing machines in the virtual world against real world opponents. Sim racing is FAR more accessable to everyone. If you have a lower end computer, Assetto Corsa will absolutely still work. Have something more powerful then you have ACC with iRacing inbetween. You also have PS* and Xbox. Each have their own titles such as Forza and Gran Tourismo aswell as both having ACC released on them. Then you have the hardware, you can get a cheaper Logitech wheel and pedals for around £150. There is nothing wrong with this hardware, there are many “Pro’s” running them on iRacing and all the other sims. Which is why i have issue with Motorsport Games running this as a single split “exclusive” event. The only people that could say they took part in this Le Mans Virtual race was those that paid the (around) £2000 entry fee.
Now lets look at the upcoming Daytona 24 which is being run on iRacing. This means that anyone that wishes to enter will get a race in their own “Official” Daytona 24H. Sure, you might not be in the top split and you might not be with the aliens, you might not be with Max Verstappen or Lando Norris…but so what! You competed in the race. You will be competeing in a split with people of a similar skill level as yourself. All official. This is the inclusive attitude we should be keeping in sim racing. Dont get me wrong, i have my own issues with iRacing and their double-dipping of subscription model and also then having to pay for cars and tracks. They have also had their own issues in the past, for example the 2021 Daytona 24Hr was delayed by a few hours due to the massive influx of users wanting to take part (we are talking 1000’s of people). But after the delay things went fine.
This is one of the sim titles ive not spent much time on, so im not going to give my opinion on the game itself. What i am able to form an opinion on is this “Random Disconnect” issue which plagued multiple teams during this event. I have worked in IT long enough to know that nothing is perfect, nothing is infallible and sometimes strange things do just happen. Unfortunately though, this does not seem to be the case for RF2. Looking back on the forums we can see players reporting random disconnection bugs since 2013! These are people stating that these issues started once a certain build of the game came out.
I know client side can be just as likely the culprit as the server side but when you have multiple clients across multiple countries all dropping at the same time, well that doesnt sound like client side to me. I was watching Jimmy Broadbents stream for almost all of the event, his team also happened to be one of the teams dumped off the server when a total of 7 teams got dropped. This is completely on the people behind the event / platform developers.
To put the sim equivilant of the worlds most prestigious and well-known race onto a platform with known disconnection issues is really quite crazy to me. But of course this all comes back to Motorsport Games, they arent going to run something they have licensed on any other platform than the one they own.
Now onto the “Security Breach”. At the time of the event, there was rumblings of a DDOS hitting the server the event was running on. This was later claimed as untrue by the organisers (though at the same time…technically it was a DDOS). The actual reason for the security breach was that someone had accidently leaked the address of the server on a stream and lots of people tried connecting. This same address that was completely visible from the ingame server browser: (Credit for this images goes to /u/hellcat_uk on reddit)
This just absolutely stinks of incompetence. I guess you could say this was actually a DDOS - more an accidental DDOS by people maybe wanting to watch the race directly? I’d go out on a limb and say the people trying to connect likely had no ill-intent. But to blame “streamers” for the issue is downright unfair. The IP was out there for anyone with the game to see. Not only that, but why does people connecting and trying to watch the race cause such an issue for the server hosting the event? We can see this machine is hosted on AWS, im sure Motorsport Games can afford the largest instance relevant for their usecase (im not sure whether the server is even an intensive application). Ignoring the things Motorsport Games could have done themselves - things like not having a publicly available lobby for the event, just simply hiding this server from the server browser, even having a special build just for this event to protect themselves if these features arent already in the product. There is also the discussion on what they could do from an infrastructure level. Why couldnt you use allow-listing for parcipitants? The people involved in this race are all either people within E-Sports teams, are successful streamers or are real world racing drivers. All of these people will either have stable and highend internet services because their jobs depend on it (E-sports folks and streamers) or they are able to afford highend internet services because…you know…they are the current F1 WDC! Id guess every single one of these people have static IP’s. Even if they dont have static IP’s, a quick chat in discord and then a quick security group update would get them back in. Would take 2 minutes at the very most. There is a very thin line between security measures being obnoxious and intrusive and them being somewhat simple for end users to live with. I honestly feel like something as simple as finding your public IP and getting it added to an allow-list does land quite close to the obnoxious and obtrusive line, but also a necessary evil. Had this been in place this “DDOS” would never have happened, even leaving the server visible in the browser wouldnt have mattered. This (in my opinion) is a low hanging fruit that would have avoided all this bad press around their server security.
But lets play devils advocate for a minute. What if it was actually bad actors that found that IP (the one clearly visible in the ingame server browser…) and these people used a botnet to hit this server. The event was hosted on AWS, they have DDOS mitigation services, AWS is a giant with more than enough brains and capacity to soak up a DDOS. Perhaps this mitigation would need configuring to ensure legitimate traffic doesnt get caught, sure. But Motorsport Games had more than enough time to get this in place. Again, this comes down to incompetence.
I want to make sure im clear on this though, i am in no way blaming this on the development team, this lands squarely with management and how the event was handled. I know that development studios are under crushing timelines, i know that management prefers features over bug fixes and i know the developers are going to be absolutely gutted with how this all played out. Their hard work was on display to the thousands of people watching and unfortunately they had to watch it burn down and then get slated.
There is no way it would come as a suprise to Motorsport Games that there was potential for bad actors to disrupt their time in the limelight. We all saw what happened with the Spa 24 Hours hosted on ACC and for those that dont know, here is a video. In response to this Kunos did implement a way to join servers that arent visible in the ingame server browser. The easiest and ideal solution to this!
The final point of discussion which i have left until last mainly because this is just rumours from what i have read while digging into this, is the rain. Apparently, rain was meant to be disabled on the server due to the excessive load it adds. Again, this is just rumours and what people have heard but apparently this was forgotten and weather changes was left enabled. It does seem like quite a coincidence that only a couple of minutes after the weather changed on the server that the first issues appeared.
I think i have rambled about this subject long enough now. Im really looking forward to the Daytona 24 coming up this weekend on iRacing and am really interested to see how its handled. I expect to see a night and day difference though i guess that remains to be seen. I also have a few ideas in my head around ways this could be prevented in the future outside of the standard DDOS protection and firewall rules. But id like to give these a thorough test before spouting nonsense.