CloudFlare said that the attack was close to 400Gbps in size, making it bigger than last year’s DDoS attack against anti-spam outfit Spamhaus, which was measured at just over 300Gbps.
Confidentiality stopped CloudFlare from revealing the identify of the customer under attack, and there were few details on how many other companies had been affected. The DDoS attack did, however, seem to pose a bigger threat on European networks, with French hosting outfit OVH later reporting that it had fended off a 350Gbps attack. It’s not known if the same attacker was responsible.
Company CEO Matthew Prince responded to the news by saying on Twitter that “someone’s got a big, new cannon” and the attack was the “start of ugly things to come”.
While the size of this attack is likely to draw the headlines, it’s worth noting that hackers carried out the DDoS attack by using NTP reflection and amplification techniques, which are increasing common for overwhelming target servers by sending more data packets than switches can support.
The attack technique has been seen in relatively recent hacks against online gaming services like Steam, League of Legends and Battle and essentially aims to push big traffic to the target’s Network Timing Protocol (NTP) server.
In this instance, attackers used NTP reflection to exploit a weakness in the UDP-based NTP, which connects to the Internet to synchronise clocks on machines. The hackers then spoofed the IP address of the target, and sent DNS queries to open DNS resolvers that will answer requests from anywhere. As a result, overwhelming levels of traffic were sent back to the NTP server. CloudFlare has a detailed blog post on NTP reflection attacks.
Martin McKeay, senior security advocate at Akamai Technologies, told SCMagazineUK.com that this method of attack troubles unpatched DNS servers, and said that is attractive to attackers because it can reflect huge traffic back to the target. He added that it’s also favourable to the attacker because UTP is “easily spoofed” and because it’s hard for victims to see who is behind the intrusion.
“The main reason for using NTP as an attack tool is that it increases traffic by 100 or 200 percent. It’s a great reflection index and makes for a very effective tool if you’re an attacker.
“At 400Gbps, it’s conceivable that the attack is being run by a small botnet outputting 20Gbps to 30Gbps of traffic,” he added.
McKeay, and other industry commentators, have advised IT administrators to patch and upgrade their NTP servers in light of this attack, although the Akamai exec admitted that some can assume that NTP servers are safe.
“NTP servers are often stable and so haven’t often been looked at before. [IT departments] are having to now.”
IT administrators are advised, in light of this attack, to patch and upgrade their NTP servers and to check management rights.
Speaking recently to SCMagazineUK.com, Visiting Professor John Walker, of Nottingham Trent University, warned that DDoS attacks will continue to be a big threat in 2014, and added that, since company divisions struggle to get their heads around the issue, the firm itself struggles to establish an effective defence strategy.
“Since they see the issue solely from their perspective, they cannot hope to develop an effective strategy to deal with this security problem,” he said at the time.
A previously unknown division of the UK Government was recently accused of launching DDoS attacks against hactivisim groups such as Anonymous and LulzSec, while a report from the end of last year revealed that most UK companies ignore DDoS threats.