February 12, 2014
Record-Breaking High-Speed DDoS Attack Strikes Europe
Peter Suciu for redOrbit.com - Your Universe Online
A distributed-denial-of-service (DDoS) attack on Monday reached more than 400Gbps at its peak. This is about 33 percent greater than the Spamhaus attack last year, which was the previous DDoS record holder. This massive attack exploited key vulnerabilities in the infrastructure of the Internet and has been called the “start of ugly things to come.”
In this particular attack hackers utilized weaknesses in the Network Time Protocol (NTP), a system that is used to synchronize computer clocks. Through this vulnerability hackers were able to flood servers with huge amounts of data and security experts warn that this technique could be used to force popular services offline.
The attack appeared to have been directed at a specific customer of content delivery network and security provider CloudFlare, which first reported the attack.
“Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating,” Cloudflare CEO Matthew Price said via Twitter. “Someone’s got a big, new cannon. Start of ugly things to come.”
NTP servers are designed to keep computers synchronized to the same time, and the fundamentals of this protocol date back to 1985 when NTP began operating. Despite updates to the system it still operates much as it had since it first went online. Computers need to synchronize time via NTP by sending small amount of data to make a request, which then results in a reply that sends data back.
There reportedly exists a significant vulnerability in that the amount of the data that NTP sends back is larger than that which it receives. Thus any attack is instantly amplified, but the other problem is that the original computer’s location could be “spoofed,” which could trick the NTP into sending the information back to somewhere else.
This could result in an amplification attack, which CloudFare explained in a blog post in early January: “Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet. Until recently the most popular protocol for amplification attacks was DNS: a small DNS query looking up the IP address of a domain name would result in a large reply.”
CloudFare did not identify the specific customers targeted in the attack, but Cnet reported that Price said it was directed at servers in Europe and that “these NTP reflection attacks are getting really nasty.”
Cnet also reported that the frequency of NTP reflection attacks has grown in recent months and that a recent NTP attack was used to take down game servers hosting EA’s Origin, Blizzard’s Battle.net and League of Legends, amongst others.
US-CERT had issued a warning to companies about the growing popularity of this specific threat.
“Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim,” CERT warned. “Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim.”
CloudFare warned of impending NTP attacks in a report published last October and it detailed how web hosts could best work to protect customers.
CloudFare offers services that protect websites and users by placing an extra layer of digital defense between the sites and its customers and this includes the caching of sites to allow visitors to have their web content loaded more quickly. Its services are so popular and deliver so many page views per month that if it were an actual website it would be the 10th largest in the world.
However, last year CloudFare suffered a server crash that resulted in more than 785,000 websites experiencing an outage.