Monster NTP DDoS attack was too easy, complains CloudFlare CEO

OVH's own NTP servers used in attack

This week's gigantic DDoS attack on mitigation firm CloudFlare was made possible by weak configuration of a relatively small number of NTP servers, including some inside the intended target, the firm's co-founder and CEO Matthew Prince has complained.

At the time of Monday's attack, CloudFlare restricted its comments to a simple notification by Prince on Twitter in which he said, "someone's got a big, new cannon," leaving other firms to speculate on the details.

Rival mitigation firm Arbor Networks' Atlas system detected the attack on CloudFlare customer, French hosting firm OVH, as being around the 325Gbps at peak, slightly larger than last March's DNS reflection attack on Spamhaus.

In a new blog CloudFlare has now confirmed that the attack ended up being around 400Gbps, making it the largest single DDoS attack in history, before going on to complain about the modest resources necessary to cause the deluge.

According to CloudFlare's CEO, the attack exploited only 4,529 NTP servers, each generating an average of 87Mbps of traffic from 1,298 different networks. For comparison, the Spamhaus attack coralled 31,000 DNS servers - seven times as many - to generate a lower amount of traffic

"Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests," said Prince.

To ram home the point, the firm has published a spreadsheet of the networks involved with the number of NTP servers involved from each. Ridiculously, this also includes 114 servers from the French firm OVH, the target of the attack; OVH's own infrastructure was being used to attack it through CloudFlare.

"If you're a network administrator and on Monday you saw network graphs like the one in the Tweet below [see below] then you are running a vulnerable NTP server," chided Prince.

The culprit in the NTP attacks was the obscure 'monlist' command that summons a list of the last 600 IP addresses to connect to the NTP server, which on its own can generate a traffic response over 200 times that of the request. "The command seems of such little practical use," wrote an exasperated Prince.

This is precisely the server weakness warned of by US-CERT and others in mid-January under CVE-2013-5211, enabled by default on all versions of the Network Time Protocol daemon (NTPd) OS prior to version 4.2.7. This function can be disabled, which presumably is CloudFlare's intention in publicising the servers used in the attack.

"Finally, if you think NTP is bad, just wait for what's next," warned Prince. "SNMP has a theoretical 650x amplification factor. We've already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up."

Separately, mitigation firm has warned that criminals are now using a toolkit called 'Flooder' to make DNS reflection attacks much easier to set up and execute. CloudFlare's warning could be prescient.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksConfiguration / maintenanceSpamhaussecurityhardware systemsCloudFlaretwitterOVHData CentreNTP

More about Arbor NetworksArbor NetworksCERT AustraliaSNMP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts