You are reading:
Under the Surface of Azeroth:
A Network Baseline and Security Analysis
of Blizzard's World of Warcraft
The launcher's news display consists of a perfectly normal HTML feed over TCP port 80. If you were just looking at packets, you'd have little idea that World of Warcraft's launcher was requesting this information instead of a normal web browser.
The launcher's news display starts with the DNS query for both launcher.worldofwarcraft.com and us.version.worldofwarcraft.com:
|
|
- The IP address for server us.version.worldofwarcraft.com is queried and received, but the server is not accessed until after the news is displayed. This same DNS query occurs again about 999 milliseconds later, which seems to be more than a coincidence. After that second DNS query is obtained, the version check phase begins. For some reason, the initial DNS query is requested but doesn't seem to be required. This is a minor inefficiency, but still contributes to network traffic and bandwidth usage.
- The results of the us.version.worldofwarcraft.com query are remarkable. Fifteen different IP addresses are returned from this query, and the servers are returned in different orders each time. This is a common circumstance when separate redundant servers are available and the DNS server is configured for a round-robin or randomized server list. This ensures that at least one server will be available for the end user, even if a server is experiencing problems or is down for maintenance.
 PREVIOUS: Section 2: Analyzing World of Warcraft on the Network |
NEXT: World of Warcraft News: Network Analysis (continued)  |