Attacks/Breaches

DDoS Attack Hits 400 Gbit/s, Breaks Record

A distributed denial-of-service NTP reflection attack was reportedly 33% bigger than last year's attack against Spamhaus.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

A record-breaking distributed denial-of-service (DDoS) attack Monday peaked at 400 Gbit/s, which is about 100 Gbit/s more than the largest previously seen DDoS attack.

DDoS defense firm CloudFlare disclosed the attack -- against one of its customers -- Monday. "Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year, tweeted CloudFlare CEO Matthew Prince, referring both to attacks that target vulnerabilities in the Network Time Protocol, as well as the March 2013 DDoS attack against Spamhaus, which peaked at a record-breaking 300 Gbit/s.

Prince said Monday's attack caused trouble "even off our network," suggesting that some upstream service providers -- particularly in Europe -- may have experienced slowdowns.

"Someone's got a big, new cannon. Start of ugly things to come," Prince tweeted. "These NTP reflection attacks are getting really nasty," he added.

Who was the target of the attack? Prince declined to disclose the name of the CloudFlare customer being targeted, saying that unlike the attack against Spamhaus, his company didn't have permission to name names.

[Law enforcement is trying to crack down on attackers. See British Spies Hit Anonymous With DDoS Attacks.]

CloudFlare's assessment of the attack bandwidth appeared to be validated by Oles Van Herman, the head of French hosting firm OVH.com, who reported via Twitter that his company was seeing a DDoS attack with a bandwidth "far beyond" 350 Gbit/s. He confirmed that IP addresses involved in the DDoS attack -- which according to one report first began Friday -- traced back to his firm's network, but noted, "Our network is the victim, not the source."

Van Herman's statement suggests that attackers spoofed the OVH.com IP address -- as part of their record-breaking attack against a CloudFlare customer -- which squares with how reflection attacks work. "A reflection attack works when an attacker can send a packet with a forged source IP address," according to an overview of NTP reflection attacks published by CloudFlare programmer John Graham-Cumming. "The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim."

Many reflection attacks previously targeted domain name system (DNS) servers. But lately, attackers have also begun to target NTP, which -- like DNS -- "is a simple UDP-based protocol that can be persuaded to return a large reply to a small request," said Graham-Cumming.

(Image: Cyber Inz)
(Image: Cyber Inz)

Monday's record-breaking DDoS attack isn't the first time that large reflection attacks have been seen in the wild. According to a threat report released last month by DDoS defense firm Black Lotus, while HTTP and HTTPS attacks -- including SYN floods, ACK floods, and application-layer attacks -- remain the dominant type of DDoS attacks seen in the wild, "distributed reflection denial of service (DrDoS) attacks began to gain ground moving into 2014," and were being used to support "huge volumetric attacks exceeding 100 Gbit/s in volume."

Launching a reflection attack isn't difficult, especially if the attacker taps a toolkit such as DNS Flooder v1.1, which DDoS defense firm Prolexic said first appeared on underground hacking forums about six months ago. In a threat report released Tuesday, the company warned that the DNS-attack toolkit has since been used to launch a number of reflection attacks, with some successfully amplifying the initial attack bandwidth by a factor of 50.

"This toolkit uses a unique method where attackers assign DNS servers with arbitrary names and utilize them as reflectors," according to Prolexic's report. "This new technique allows malicious actors to purchase, set up, and use their own DNS servers to launch reflection attacks, without the need to find open and vulnerable DNS servers on the Internet."

But most DDoS attackers still rely on blended attacks, which gives them a better chance "to find weaknesses in the target's defenses and to confuse security engineers who may be trying to mitigate the attack," according to the Black Lotus report.

The number of DDoS attacks that included NTP reflection-attack techniques increased substantially after January 2, when US-CERT released vulnerability advisory CVE-2013-5211, detailing a network time protocol daemon (ntpd) bug that can be exploited to launch DDoS reflection attacks. "Specifically, an attacker can send a spoofed monlist command to a vulnerable ntpd which will respond to the victim at an amplification factor of 58.5," according to Black Lotus. The firm said that beginning in early January, it saw "a massive shift in the tactics used by attackers," when they began tapping the NTP vulnerability en masse.

How can businesses better prevent their servers from being used -- or abused -- by DDoS attackers who target NTP vulnerabilities? "As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7," according to the US-CERT advisory. "However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software."

To further help lock down vulnerable systems, research firm Team Cymru has released secure NTP templates for Cisco IOS, Juniper Junos, and Unix. In addition, the NTP Scanning Project provides a free service to scan any server for NTP vulnerabilities.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to leverage security data effectively in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
wm2k5
50%
50%
wm2k5,
User Rank: Apprentice
3/15/2014 | 11:49:53 PM
Cloudflare/OVH karma IHMO
Ic ouldn't help but chuckle in reading this. Cloudflare and OVH have beent he most unrepentant spam factories that I've had to deal with in the last 12 months. If they kicked spammers off their networks as soon as they were reported, I'd bet dollars against donuts that their customers wouldn't be the targets of massive DDOS attacks. Internet users loathe spammers and the hosts that profiteer off of the time wasted cleaning crap out of inboxes and malware off of their systems, and it's thoroughly unsurprising that someone with some advanced skills has been pissed off enough to do something about it.
TishaOehmen
50%
50%
TishaOehmen,
User Rank: Apprentice
2/19/2014 | 7:38:04 PM
Network Time's explanation of what happened
If you haven't had a chance to read Network Time Foundation's response to the DRDoS attacks, take a moment to do so, and learn how to stop these attacks in their tracks here:
http://nwtime.org/ntp-winter-2013-network-drdos-attacks/
GeoTel
50%
50%
GeoTel,
User Rank: Apprentice
2/13/2014 | 4:10:27 AM
Re: Highly unlikley
I thought the same thing while I read this. It's an interesting story, but is it just marketing for CloudFlare to promote public image/capabilities? 
anon0841418791
50%
50%
anon0841418791,
User Rank: Apprentice
2/12/2014 | 5:10:42 PM
how to prevent this !
check the below link on how to migitate this attack :

http://letushare.com/issue-with-ntp-servers-the-new-ddos-target/
SaneIT
50%
50%
SaneIT,
User Rank: Apprentice
2/12/2014 | 9:02:33 AM
Re: Highly unlikley
That's an interesting take on this.  I remember hearing that the last attack did slow traffic around the UK and did in fact DDoS a specific target.  Maybe it's marketing maybe it's FUD but I'm wondering who benefits from this news? Cloudflare?  I thought they had issues during the attacks last year not exactly good marketing.
anon5511426393
50%
50%
anon5511426393,
User Rank: Apprentice
2/12/2014 | 6:22:41 AM
Highly unlikley
The last smaphaus "attack" was really a marketing press release based on fake data.  At the time of the attack, the upstream ISP released their MRTG traffic logs - the "attack" was so small, it did not even register any visible blip.

This new report smells even more fishy that the first one.  There aren't that many NTP servers out there, and I monitor spamhaus - it hasn't missed a beat that I've noticed.

Kudos to the marketing genious that obviously just read about NTP amplification, and decided to put this new publicity-raising "advertising" campain!
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.