October 11, 2016
Yesterday we saw a distributed denial-of-service attack targeting a client of the content delivery network Cloudflare which reached new highs in malicious traffic today, striking at the company’s data centers in Europe and the US, the full volume of the attack exceeded 400 gigabits per second — making it the largest DDoS attack ever recorded. Using Network Time Protocol (NTP) reflection the group called DERP Trolling perpetuated the NTP Attack. The attack made fraudulent synchronization requests to NTP servers that caused them to send a flood of replies back at the targeted sites. Reflection attacks have been a mainstay of DDoS tools and botnets, but the use of NTP in such attacks new. Last year’s attack on Spamhaus, which previously set the record for the largest DDoS ever, used a Domain Name Service (DNS) protocol attack—a much more common approach that takes advantage of the Internet’s directory service, forging requests for DNS lookups from the intended target and sending them to scores of open DNS servers. The size of the traffic directed back at the target from these requests far exceeds the size of the requests sent to the DNS servers, which is why the technique is often called a DNS amplification attack. By comparison, NTP sends much smaller amounts of data in response to requests. But as efforts have been made to prevent DNS amplification attacks by reducing the number of open DNS servers available to attackers, there are over 3,000 active public time servers configured to reply to NTP requests, as well as many more time servers on smaller networks that may be open to outside requests. To make things worse a recently discovered vulnerability in NTP allows for amplification attacks similar to those previously performed with DNS, exploiting a command in the protocol called “monlist” that sends the IP addresses of the last 600 devices connected to the server. These requests, sent via a packet with the forged address of the victim, send a torrent of data back at the targeted site. Like DNS reflection attacks, NTP attacks can be diminished in effectiveness by network operators if they configure firewalls to block external requests.