A record-breaking distributed denial-of-service (DDoS) attack Monday peaked at 400 Gbit/s, which is about 100Â Gbit/s more than the largest previously seen DDoS attack.
DDoS defense firm CloudFlare disclosed the attack — against one of its customers — Monday. “Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year, tweeted CloudFlare CEO Matthew Prince, referring both to attacks that target vulnerabilities in the Network Time Protocol, as well as the March 2013 DDoS attack against Spamhaus, which peaked at a record-breaking 300 Gbit/s.
Prince said Monday’s attack caused trouble “even off our network,” suggesting that some upstream service providers — particularly in Europe — may have experienced slowdowns.
“Someone’s got a big, new cannon. Start of ugly things to come,” Prince tweeted. “These NTP reflection attacks are getting really nasty,” he added.
Who was the target of the attack? Prince declined to disclose the name of the CloudFlare customer being targeted, saying that unlike the attack against Spamhaus, his company didn’t have permission to name names.
CloudFlare’s assessment of the attack bandwidth appeared to be validated by Oles Van Herman, the head of French hosting firm OVH.com, who reported via Twitter that his company was seeing a DDoS attack with a bandwidth “far beyond” 350 Gbit/s. He confirmed that IP addresses involved in the DDoS attack — which according to one report first began Friday — traced back to his firm’s network, but noted, “Our network is the victim, not the source.”
Van Herman’s statement suggests that attackers spoofed the OVH.com IP address — as part of their record-breaking attack against a CloudFlare customer — which squares with how reflection attacks work. “A reflection attack works when an attacker can send a packet with a forged source IP address,” according to an overview of NTP reflection attacks published by CloudFlare programmer John Graham-Cumming. “The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.”
Many reflection attacks previously targeted domain name system (DNS) servers. But lately, attackers have also begun to target NTP, which — like DNS — “is a simple UDP-based protocol that can be persuaded to return a large reply to a small request,” said Graham-Cumming.
Monday’s record-breaking DDoS attack isn’t the first time that large reflection attacks have been seen in the wild. According to a threat report released last month by DDoS defense firm Black Lotus, while HTTP and HTTPS attacks — including SYN floods, ACK floods, and application-layer attacks — remain the dominant type of DDoS attacks seen in the wild, “distributed reflection denial of service (DrDoS) attacks began to gain ground moving into 2014,” and were being used to support “huge volumetric attacks exceeding 100Â Gbit/s in volume.”
Launching a reflection attack isn’t difficult, especially if the attacker taps a toolkit such as DNS Flooder v1.1, which DDoS defense firm Prolexic said first appeared on underground hacking forums about six months ago. In a threat report released Tuesday, the company warned that the DNS-attack toolkit has since been used to launch a number of reflection attacks, with some successfully amplifying the initial attack bandwidth by a factor of 50.
“This toolkit uses a unique method where attackers assign DNS servers with arbitrary names and utilize them as reflectors,” according to Prolexic’s report. “This new technique allows malicious actors to purchase, set up, and use their own DNS servers to launch reflection attacks, without the need to find open and vulnerable DNS servers on the Internet.”
But most DDoS attackers still rely on blended attacks, which gives them a better chance “to find weaknesses in the target’s defenses and to confuse security engineers who may be trying to mitigate the attack,” according to the Black Lotus report.
The number of DDoS attacks that included NTP reflection-attack techniques increased substantially after January 2, when US-CERT released vulnerability advisory CVE-2013-5211, detailing a network time protocol daemon (ntpd) bug that can be exploited to launch DDoS reflection attacks. “Specifically, an attacker can send a spoofed monlist command to a vulnerable ntpd which will respond to the victim at an amplification factor of 58.5,” according to Black Lotus. The firm said that beginning in early January, it saw “a massive shift in the tactics used by attackers,” when they began tapping the NTP vulnerability en masse.
How can businesses better prevent their servers from being used — or abused — by DDoS attackers who target NTP vulnerabilities? “As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7,” according to the US-CERT advisory. “However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.”
To further help lock down vulnerable systems, research firm Team Cymru has released secure NTP templates for Cisco IOS, Juniper Junos, and Unix. In addition, the NTP Scanning Project provides a free service to scan any server for NTP vulnerabilities.