A distributed denial-of-service (DDoS) attack which was registered at 400Gbps has been spotted, eclipsing the Spamhaus attack from last year.
Last June, the anti-spam organisation was hit by a 300Gbps attack. Content delivery firm CloudFlare, who were tasked with protecting Spamhaus and were also hit, announced this week’s attack.
Matthew Prince, CEO and co-founder and CloudFlare, said via his Twitter account that a “very big NTP reflection attack [is] hitting us right now. Appears to be bigger than the Spamhaus attack from last year.” He later said that he was unable to disclose who was being attacked that “someone’s got a big, new cannon. Start of ugly things to come.”
Prince said that this was made possible by a misconfigured NTP server, likely with a 100Mbps connection with 80 per cent utilisation, and the attacker would need a 1Gbps connection.
Tim ‘TK’ Keanini, CTO at Lancope, said: “This type of amplification attack is as old as the internet itself and as long as there is a protocol out there by which a single packet generates ten (or greater) packets in return, we will have this type of problem.
“NTP, DNS and a few other UDP (connectionless protocols) services have had vulnerable versions used in this type of DDoS. All of them are patched and fixed but the problem is that people don’t manage their services the way that they should. The fix has been available for a very long time and websites exist that freely test for these vulnerabilities, but still the administrators of these servers are irresponsibly leaving them unpatched and are helping attackers do this type of damage.”
Eduardo de la Arada, research team engineer at AlienVault, explained that this is another reflection technique, as an NTP server is a server used to synchronize the system clock.
“One of the available requests is MON_GETLIST; it returns the addresses of up to the last 600 machines that the NTP server has interacted with. So, with a small (234 bytes) request, the server could respond with a big package (48k more or less). You can modify the sender address to the targets ones, and send a lot of requests to multiple NTP servers, the generated traffic sent to the target could be enormous,” he said.
He suspected that the 400Gbps size of the attack was achieved by collecting as many NTP servers as possible. “The more servers they have collected, the stronger the attack will be. Not all servers have this feature, it was removed, so the attackers must scan internet looking for a version older than 4.2.7.”
Keanini said that the reason these attacks are getting larger is because pipes are getting larger and at these rates, you are limited by the capacity of some transit link to the victim.
“The bigger the pipes, the greater the volumetric attack. Next year I expect to see this at least double in terms of traffic/sec,” he said.