Attackers use NTP reflection in huge DDoS attack

The attack peaked at over 400Gbps according to CloudFlare, the company whose infrastructure was targeted

Attackers abused insecure Network Time Protocol servers to launch what appears to be one of the largest DDoS (distributed denial-of-service) attacks ever, this time against the infrastructure of CloudFlare, a company that operates a global content delivery network.

The attack was revealed Monday on Twitter by Matthew Prince, CloudFlare's CEO, who said that it's "the start of ugly things to come" because "someone's got a big, new cannon."

The size of the attack appears to have been just shy of 400Gbps, ranking it among the largest DDoS attacks CloudFlare has seen, Prince said Tuesday via email, adding that the company is still gathering data about the incident from upstream providers.

The attack could be larger than the one last March against Spamhaus, a spam-fighting organization and CloudFlare customer whose website was hit by a 300Gbps DDoS attack, which was considered to be the largest in history at the time. CloudFlare reported then that it caused congestion at critical Internet exchange nodes in Europe. However, other companies later challenged the reported impact.

The new attack Monday used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders.

The attack was directed at a CloudFlare user, Prince said, but he declined to disclose any additional details about the customer citing the company's policy.

The DDoS traffic hit CloudFlare's data centers worldwide, but only caused temporary congestion on the company's network in Europe, he said.

There is also some anecdotal evidence that there were congestion issues in other parts of the Internet infrastructure that are not directly related to CloudFlare, but nothing definitive, he said. "The most likely place that slowness would have been observed is across European peering exchanges. However, our team moved quickly to take traffic off exchanges in order to minimize collateral damage."

Shortly after Prince revealed the attack on Twitter, Octave Klaba, the founder and CEO of large French hosting provider OVH, reported that his company's network had also been hit for hours Monday with a DDoS attack that far exceeded 350Gbps.

It's not clear if the attack against OVH also used NTP reflection or if it's related to the attack against CloudFlare.

"I would suspect they were likely related due to the similar timing and scale," Prince said. "However, I don't have direct evidence of that."

OVH did not immediately respond to a request for comment.

NTP is just one of several protocols that and can be abused to amplify DDoS attacks. Two others are DNS (Domain Name System) and SNMP (Simple Network Management Protocol).

What these protocols have in common is that they allow a relatively small query to generate a large response and are vulnerable to source IP spoofing if certain precautions are not taken because they work over UDP (User Datagram Protocol).

Instead of hitting a target's IP address directly with traffic generated by a botnet with a combined bandwidth of, say, 10Gbps, attackers could use the botnet to send spoofed queries to a list of open DNS or NTP servers. Those queries could be crafted to appear as if they came from the victim's IP address and could trigger large responses from those servers to that address.

In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.

DNS reflection was commonly used in DDoS attacks last year, including in the attack against Spamhaus, prompting calls from Internet infrastructure groups and security researchers to organizations to identify and secure their DNS servers against this type of abuse.

SNMP reflection attacks are relatively rare, because the protocol is usually used with authentication and there are few open SNMP servers on the Internet, CloudFlare said in its January blog post.

However, NTP servers that are vulnerable to reflection attacks are apparently not that rare and attackers have caught on to this. NTP servers are used by computers and other devices to synchronize their clocks so many of them are publicly accessible.

Security vendor Symantec reported in December that it observed a spike in the number of NTP reflection attacks. Then in early January the same technique was used to attack online gaming servers.

"NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes," CloudFlare explained in January. "It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack."

Organizations can use the Open NTP Project to identify vulnerable NTP servers in their IP address ranges and can follow instructions provided by security research outfit Team Cymru to secure them on different OSes.

The U.S. Computer Emergency Response Team recommends updating NTP servers to at least ntpd (Network Time Protocol daemon) version 4.2.7, which addresses the monlist issue by default. Older versions need to be manually configured to restrict the functionality.

Join the CSO newsletter!

Error: Please check your email address.

Tags NetworkingsecurityCloudFlareOVH

More about Computer Emergency Response TeamSNMPSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts