Massive DDoS Attack Leveraged Network Timing Protocol: CloudFlare

CloudFlare, which clocked the distributed denial-of-service attack at close to 400G bps, said the target was one of its customers.

DDoS attack

One of the largest distributed denial-of-service attacks (DDoS) ever seen hit the Internet Feb. 11, cloud security vendor CloudFlare reported.

The target was a CloudFlare customer, and the attack appears to have been just shy of 400G bps, Matthew Prince, the company's CEO, told eWEEK. "We're still gathering data from all our upstream providers to get the exact scale."

Prince declined to name the customer that was attacked. "Our policy is to not disclose the customer in question without their permission, and we haven't received or sought their permission," he said.

The latest attack leveraged a technique known as a Network Time Protocol (NTP) reflection. It's an attack that the U.S. Computer Emergency Readiness Team (US-CERT), which is part of the U.S. Department of Homeland Security, has been warning against since January.

NTP is intended to just be used by servers to request the time in order to synchronize clocks. With an NTP reflection attack, different NTP server commands can potentially be abused that then amplify attack volume. One of those commands is the monlist command, which returns a list of the last 600 connected IP addresses to the requesting address. In an NTP reflection attack, the attacker will spoof the victim's IP address for the monlist query, which then sends the NTP response traffic to the victim.

US-CERT has previously advised that NTP server administrators update to the newest version to prevent the risk of reflection attacks. The effort to get NTP servers updated and properly configured is one that Prince is also advocating.

"We're working to get the word out about misconfigured NTP servers to get the fundamental problem cleaned up and help better protect everyone on the Web," Prince said. "Network administrators can test if they're running a misconfigured NTP server by visiting:"

CloudFlare is no stranger to large DDoS attacks and successfully repelled a 2013 DDoS attack that clocked in at 300G bps of attack traffic. That attack was against spam intelligence service Spamhaus, which is protected by the CloudFlare network.

While misconfigured NTP servers are at the root of the attack on CloudFlare's customer this week, the attack was extensive. As such, CloudFlare requires a very robust network with vast amounts of bandwidth to defend its customers.

"We're continuously expanding the size of CloudFlare's network to deal with larger and larger attacks," Prince said. "We're also working with our upstream providers to filter protocols like NTP being sent to ports on our network that should only be receiving HTTP/HTTPS traffic."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.