Massive DDoS Attack Leveraged Network Timing Protocol: CloudFlare
CloudFlare, which clocked the distributed denial-of-service attack at close to 400G bps, said the target was one of its customers.One of the largest distributed denial-of-service attacks (DDoS) ever seen hit the Internet Feb. 11, cloud security vendor CloudFlare reported. The target was a CloudFlare customer, and the attack appears to have been just shy of 400G bps, Matthew Prince, the company's CEO, told eWEEK. "We're still gathering data from all our upstream providers to get the exact scale." Prince declined to name the customer that was attacked. "Our policy is to not disclose the customer in question without their permission, and we haven't received or sought their permission," he said. The latest attack leveraged a technique known as a Network Time Protocol (NTP) reflection. It's an attack that the U.S. Computer Emergency Readiness Team (US-CERT), which is part of the U.S. Department of Homeland Security, has been warning against since January.
NTP is intended to just be used by servers to request the time in order to synchronize clocks. With an NTP reflection attack, different NTP server commands can potentially be abused that then amplify attack volume. One of those commands is the monlist command, which returns a list of the last 600 connected IP addresses to the requesting address. In an NTP reflection attack, the attacker will spoof the victim's IP address for the monlist query, which then sends the NTP response traffic to the victim.