Blog Post

Record-breaking DDoS attack struck on Monday, according to reports

Somebody out there was getting hit hard by a distributed denial-of-service (DDoS) attack on Monday, according to multiple reports. And it looks like this one was even harsher than last year’s Spamhaus incident, at the time the biggest known DDoS attack in the history of the internet.

According to Matthew Prince, CEO of anti-DDoS protection outfit CloudFlare:

Prince went on to say the attack was running at over 400Gbps (Spamhaus was around 300Gbps), though confidentiality stopped him from identifying which client was getting hammered. He said the effects were being felt particularly in Europe, with the attack mostly mitigated but still “big enough it caused problems even off our network, which is super annoying.”

French hosting outfit OVH also reported fending off an attack running at over 350Gbps, though of course it’s impossible to say whether the same attacker was responsible.

Reflect and amplify

What’s interesting about the attack reported by CloudFlare is its technique. DDoS is all about overwhelming the target’s servers with more data packets than their switches can handle, and both this and the Spamhaus attack seem to have used a “reflection and amplification” method to achieve this goal.

In the case of the Spamhaus attack, the perpetrators spoofed the IP address of the target and sent off domain name system (DNS) queries — which are usually along the lines of “What’s the IP address for this spelled-out website name?” — to open DNS resolvers that will answer any request from anywhere.

The attackers deliberately made queries that would elicit much larger responses and, because they were pretending to be whoever they were targeting, the poor victim would suddenly have tons of data flung at it, exacerbated by the number of machines controlled by the attacker and used to send out these requests.

The new attack uses a similar mechanism, only it doesn’t exploit badly configured DNS servers. Instead, it uses network time protocol (NTP) servers — the machines with which your computer will periodically shake hands in order to check what the time is. This was the same tactic used to attack a bunch of big online gaming services last month.

“Ugly things to come”

As CloudFlare recently explained, the NTP protocol is “ideal as a DDoS tool” because at least one of its functions will return data that is far more voluminous than the triggering request (specifically, the “monlist” command that asks the server for the addresses of the last 600 computers that used it). That post also includes some handy details about updating NTP servers to stop them from being misused in this way.

Of course, if everyone kept their publicly connected servers up-to-date, we’d see a good deal less online crime. But they don’t, so, as Prince observed:

16 Responses to “Record-breaking DDoS attack struck on Monday, according to reports”

  1. Ben Talker

    I’m not so sure that DDOS attacks that happened a month ago have so much to do with being down.
    It’s not unthinkable that it’s a cover up for another site maintenance gone wrong.

    But I’m more than willing to have you prove me wrong. (with facts)

  2. Aqeel Bilal Malik

    Being freelance contractors it has caused real headache for all of us that had deadlines to follow. Things seem on getting stable by now but It was really a nightmare with no communication with clients or clients with contractors.

  3. Chris Henniker

    As a freelance journalist , this potentially delayed a project by several days. I couldn’t get work up on the Elance website for a client, which is important.

  4. Don Cridelich

    I’m impressed with the rather quick handling of the situation at hand. Good job to all involved in securing the servers and over coming those challenges! Is it not illegal for this sort of attack? If so is it even possible to get to the root system that started the attack?

  5. If Every ISP would protect us against spoofed source IP addresses – we would be fine.. this and every other trick is all about source identification and allowing spoof sources through networks.. BS. the edge routers could easily handle this for us…

    • Hi,

      99% of ISP’s do not allow for spoofed ip traffic. In this case it was normal traffic that used an exploit on the software to send as many requests as it possibly could.

      No spoofing was involved with this attack.

  6. We were part of this.

    All our devices NTP services were running at 100% cpu and caused all other processes to suffer. Our link to UK (from South Africa) was maxed out and caused tremendous headaches.

    We also noticed alot of traffic for udp port 80, which obviously makes now sense. It was definitely an amplification exploit as we barely had any of that traffic come into our network. All the traffic was outbound.

    What a nightmare.