Somebody out there was getting hit hard by a distributed denial-of-service (DDoS) attack on Monday, according to multiple reports. And it looks like this one was even harsher than last year’s Spamhaus incident, at the time the biggest known DDoS attack in the history of the internet.
According to Matthew Prince, CEO of anti-DDoS protection outfit CloudFlare:
Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating.
— Matthew Prince 🌥 (@eastdakota) February 10, 2014
Prince went on to say the attack was running at over 400Gbps (Spamhaus was around 300Gbps), though confidentiality stopped him from identifying which client was getting hammered. He said the effects were being felt particularly in Europe, with the attack mostly mitigated but still “big enough it caused problems even off our network, which is super annoying.”
French hosting outfit OVH also reported fending off an attack running at over 350Gbps, though of course it’s impossible to say whether the same attacker was responsible.
Reflect and amplify
What’s interesting about the attack reported by CloudFlare is its technique. DDoS is all about overwhelming the target’s servers with more data packets than their switches can handle, and both this and the Spamhaus attack seem to have used a “reflection and amplification” method to achieve this goal.
In the case of the Spamhaus attack, the perpetrators spoofed the IP address of the target and sent off domain name system (DNS) queries — which are usually along the lines of “What’s the IP address for this spelled-out website name?” — to open DNS resolvers that will answer any request from anywhere.
The attackers deliberately made queries that would elicit much larger responses and, because they were pretending to be whoever they were targeting, the poor victim would suddenly have tons of data flung at it, exacerbated by the number of machines controlled by the attacker and used to send out these requests.
The new attack uses a similar mechanism, only it doesn’t exploit badly configured DNS servers. Instead, it uses network time protocol (NTP) servers — the machines with which your computer will periodically shake hands in order to check what the time is. This was the same tactic used to attack a bunch of big online gaming services last month.
“Ugly things to come”
As CloudFlare recently explained, the NTP protocol is “ideal as a DDoS tool” because at least one of its functions will return data that is far more voluminous than the triggering request (specifically, the “monlist” command that asks the server for the addresses of the last 600 computers that used it). That post also includes some handy details about updating NTP servers to stop them from being misused in this way.
Of course, if everyone kept their publicly connected servers up-to-date, we’d see a good deal less online crime. But they don’t, so, as Prince observed:
— Matthew Prince 🌥 (@eastdakota) February 11, 2014