16 Comments

Summary:

The attack, which appears to have been felt particularly hard in Europe, apparently exploited the protocol that maintains the accuracy of computers’ clocks.

hacker cyber attack
photo: Thinkstock

Somebody out there was getting hit hard by a distributed denial-of-service (DDoS) attack on Monday, according to multiple reports. And it looks like this one was even harsher than last year’s Spamhaus incident, at the time the biggest known DDoS attack in the history of the internet.

According to Matthew Prince, CEO of anti-DDoS protection outfit CloudFlare:

Prince went on to say the attack was running at over 400Gbps (Spamhaus was around 300Gbps), though confidentiality stopped him from identifying which client was getting hammered. He said the effects were being felt particularly in Europe, with the attack mostly mitigated but still “big enough it caused problems even off our network, which is super annoying.”

French hosting outfit OVH also reported fending off an attack running at over 350Gbps, though of course it’s impossible to say whether the same attacker was responsible.

Reflect and amplify

What’s interesting about the attack reported by CloudFlare is its technique. DDoS is all about overwhelming the target’s servers with more data packets than their switches can handle, and both this and the Spamhaus attack seem to have used a “reflection and amplification” method to achieve this goal.

In the case of the Spamhaus attack, the perpetrators spoofed the IP address of the target and sent off domain name system (DNS) queries — which are usually along the lines of “What’s the IP address for this spelled-out website name?” — to open DNS resolvers that will answer any request from anywhere.

The attackers deliberately made queries that would elicit much larger responses and, because they were pretending to be whoever they were targeting, the poor victim would suddenly have tons of data flung at it, exacerbated by the number of machines controlled by the attacker and used to send out these requests.

The new attack uses a similar mechanism, only it doesn’t exploit badly configured DNS servers. Instead, it uses network time protocol (NTP) servers — the machines with which your computer will periodically shake hands in order to check what the time is. This was the same tactic used to attack a bunch of big online gaming services last month.

“Ugly things to come”

As CloudFlare recently explained, the NTP protocol is “ideal as a DDoS tool” because at least one of its functions will return data that is far more voluminous than the triggering request (specifically, the “monlist” command that asks the server for the addresses of the last 600 computers that used it). That post also includes some handy details about updating NTP servers to stop them from being misused in this way.

Of course, if everyone kept their publicly connected servers up-to-date, we’d see a good deal less online crime. But they don’t, so, as Prince observed:

You’re subscribed! If you like, you can update your settings

  1. O_o

    I’m surprised that there are enough NTP servers to do this attack, they should update their servers in a timely manner ;-)

    1. yes dude I appreciate your frustration

  2. We were part of this.

    All our devices NTP services were running at 100% cpu and caused all other processes to suffer. Our link to UK (from South Africa) was maxed out and caused tremendous headaches.

    We also noticed alot of traffic for udp port 80, which obviously makes now sense. It was definitely an amplification exploit as we barely had any of that traffic come into our network. All the traffic was outbound.

    What a nightmare.

  3. If your NTP was the outggoing you should really get that patched up:
    http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks

  4. @frx We patched it up quite quickly once we found what the issues were.

  5. If Every ISP would protect us against spoofed source IP addresses – we would be fine.. this and every other trick is all about source identification and allowing spoof sources through networks.. BS. the edge routers could easily handle this for us…

    1. Hi,

      99% of ISP’s do not allow for spoofed ip traffic. In this case it was normal traffic that used an exploit on the software to send as many requests as it possibly could.

      No spoofing was involved with this attack.

  6. Was security of personal identification compromised at all?

  7. Don Cridelich Thursday, March 6, 2014

    I’m impressed with the rather quick handling of the situation at hand. Good job to all involved in securing the servers and over coming those challenges! Is it not illegal for this sort of attack? If so is it even possible to get to the root system that started the attack?

  8. Swaira Andleeb Monday, March 17, 2014

    Any Time Frame Of Site ON

  9. Chris Henniker Tuesday, March 18, 2014

    As a freelance journalist , this potentially delayed a project by several days. I couldn’t get work up on the Elance website for a client, which is important.

    1. yup you are right i am also freelancer and oDesk and Elance both sites are down from last many hours though there is option of manual time tracking but that can only work when elance and odesk are working

Comments have been disabled for this post