Attacks/Breaches
2/11/2014
12:51 PM
Connect Directly
RSS
E-Mail
50%
50%

DDoS Attack Hits 400 Gbit/s, Breaks Record

A distributed denial-of-service NTP reflection attack was reportedly 33% bigger than last year's attack against Spamhaus.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

A record-breaking distributed denial-of-service (DDoS) attack Monday peaked at 400 Gbit/s, which is about 100 Gbit/s more than the largest previously seen DDoS attack.

DDoS defense firm CloudFlare disclosed the attack -- against one of its customers -- Monday. "Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year, tweeted CloudFlare CEO Matthew Prince, referring both to attacks that target vulnerabilities in the Network Time Protocol, as well as the March 2013 DDoS attack against Spamhaus, which peaked at a record-breaking 300 Gbit/s.

Prince said Monday's attack caused trouble "even off our network," suggesting that some upstream service providers -- particularly in Europe -- may have experienced slowdowns.

"Someone's got a big, new cannon. Start of ugly things to come," Prince tweeted. "These NTP reflection attacks are getting really nasty," he added.

Who was the target of the attack? Prince declined to disclose the name of the CloudFlare customer being targeted, saying that unlike the attack against Spamhaus, his company didn't have permission to name names.

[Law enforcement is trying to crack down on attackers. See British Spies Hit Anonymous With DDoS Attacks.]

CloudFlare's assessment of the attack bandwidth appeared to be validated by Oles Van Herman, the head of French hosting firm OVH.com, who reported via Twitter that his company was seeing a DDoS attack with a bandwidth "far beyond" 350 Gbit/s. He confirmed that IP addresses involved in the DDoS attack -- which according to one report first began Friday -- traced back to his firm's network, but noted, "Our network is the victim, not the source."

Van Herman's statement suggests that attackers spoofed the OVH.com IP address -- as part of their record-breaking attack against a CloudFlare customer -- which squares with how reflection attacks work. "A reflection attack works when an attacker can send a packet with a forged source IP address," according to an overview of NTP reflection attacks published by CloudFlare programmer John Graham-Cumming. "The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim."

Many reflection attacks previously targeted domain name system (DNS) servers. But lately, attackers have also begun to target NTP, which -- like DNS -- "is a simple UDP-based protocol that can be persuaded to return a large reply to a small request," said Graham-Cumming.

(Image: Cyber Inz)
(Image: Cyber Inz)

Monday's record-breaking DDoS attack isn't the first time that large reflection attacks have been seen in the wild. According to a threat report released last month by DDoS defense firm Black Lotus, while HTTP and HTTPS attacks -- including SYN floods, ACK floods, and application-layer attacks -- remain the dominant type of DDoS attacks seen in the wild, "distributed reflection denial of service (DrDoS) attacks began to gain ground moving into 2014," and were being used to support "huge volumetric attacks exceeding 100 Gbit/s in volume."

Launching a reflection attack isn't difficult, especially if the attacker taps a toolkit such as DNS Flooder v1.1, which DDoS defense firm Prolexic said first appeared on underground hacking forums about six months ago. In a threat report released Tuesday, the company warned that the DNS-attack toolkit has since been used to launch a number of reflection attacks, with some successfully amplifying the initial attack bandwidth by a factor of 50.

"This toolkit uses a unique method where attackers assign DNS servers with arbitrary names and utilize them as reflectors," according to Prolexic's report. "This new technique allows malicious actors to purchase, set up, and use their own DNS servers to launch reflection attacks, without the need to find open and vulnerable DNS servers on the Internet."

But most DDoS attackers still rely on blended attacks, which gives them a better chance "to find weaknesses in the target's defenses and to confuse security engineers who may be trying to mitigate the attack," according to the Black Lotus report.

The number of DDoS attacks that included NTP reflection-attack techniques increased substantially after January 2, when US-CERT released vulnerability advisory CVE-2013-5211, detailing a network time protocol daemon (ntpd) bug that can be exploited to launch DDoS reflection attacks. "Specifically, an attacker can send a spoofed monlist command to a vulnerable ntpd which will respond to the victim at an amplification factor of 58.5," according to Black Lotus. The firm said that beginning in early January, it saw "a massive shift in the tactics used by attackers," when they began tapping the NTP vulnerability en masse.

How can businesses better prevent their servers from being used -- or abused -- by DDoS attackers who target NTP vulnerabilities? "As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7," according to the US-CERT advisory. "However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software."

To further help lock down vulnerable systems, research firm Team Cymru has released secure NTP templates for Cisco IOS, Juniper Junos, and Unix. In addition, the NTP Scanning Project provides a free service to scan any server for NTP vulnerabilities.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to leverage security data effectively in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
wm2k5
50%
50%
wm2k5,
User Rank: Apprentice
3/15/2014 | 11:49:53 PM
Cloudflare/OVH karma IHMO
Ic ouldn't help but chuckle in reading this. Cloudflare and OVH have beent he most unrepentant spam factories that I've had to deal with in the last 12 months. If they kicked spammers off their networks as soon as they were reported, I'd bet dollars against donuts that their customers wouldn't be the targets of massive DDOS attacks. Internet users loathe spammers and the hosts that profiteer off of the time wasted cleaning crap out of inboxes and malware off of their systems, and it's thoroughly unsurprising that someone with some advanced skills has been pissed off enough to do something about it.
TishaOehmen
50%
50%
TishaOehmen,
User Rank: Apprentice
2/19/2014 | 7:38:04 PM
Network Time's explanation of what happened
If you haven't had a chance to read Network Time Foundation's response to the DRDoS attacks, take a moment to do so, and learn how to stop these attacks in their tracks here:
http://nwtime.org/ntp-winter-2013-network-drdos-attacks/
GeoTel
50%
50%
GeoTel,
User Rank: Apprentice
2/13/2014 | 4:10:27 AM
Re: Highly unlikley
I thought the same thing while I read this. It's an interesting story, but is it just marketing for CloudFlare to promote public image/capabilities? 
anon0841418791
50%
50%
anon0841418791,
User Rank: Apprentice
2/12/2014 | 5:10:42 PM
how to prevent this !
check the below link on how to migitate this attack :

http://letushare.com/issue-with-ntp-servers-the-new-ddos-target/
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
2/12/2014 | 9:02:33 AM
Re: Highly unlikley
That's an interesting take on this.  I remember hearing that the last attack did slow traffic around the UK and did in fact DDoS a specific target.  Maybe it's marketing maybe it's FUD but I'm wondering who benefits from this news? Cloudflare?  I thought they had issues during the attacks last year not exactly good marketing.
anon5511426393
50%
50%
anon5511426393,
User Rank: Apprentice
2/12/2014 | 6:22:41 AM
Highly unlikley
The last smaphaus "attack" was really a marketing press release based on fake data.  At the time of the attack, the upstream ISP released their MRTG traffic logs - the "attack" was so small, it did not even register any visible blip.

This new report smells even more fishy that the first one.  There aren't that many NTP servers out there, and I monitor spamhaus - it hasn't missed a beat that I've noticed.

Kudos to the marketing genious that obviously just read about NTP amplification, and decided to put this new publicity-raising "advertising" campain!
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.