Largest Ever 400Gbps DDoS attack hits Europe uses NTP Amplification

The Distributed Denial of Service (DDoS) attack is the one of favourite weapon for the hackers to temporarily suspend services of a host connected to the Internet and till now nearly every big site had been a victim of this attack.

Since 2013, Hackers have adopted new tactics to boost Distributed Denial of Service attack sizes, which is known as ‘Amplification Attack’, that provide the benefits of obscuring the source of the attack, while enabling the bandwidth to be used to multiply the size of the attack.

Just yesterday, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic, striking at the company’s data servers in Europe.

“Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating,” CloudFlare CEO Matthew Price said in a tweet. “Someone’s got a big, new cannon. Start of ugly things to come,”

This massive DDoS attack was greater than ever in history of the Internet, and larger than previous DDoS record-holder Spamhaus DDoS attack i.e. 300Gbps, that almost broke the Internet.

Attackers leveraged weaknesses in the Network Time Protocol (NTP), which is used to synchronize computer clocks, but hackers are abusing the NTP servers by sending small spoofed 8-byte UDP packets to the vulnerable server that requests a large amount of data (megabytes worth of traffic) to be sent to the DDoS's target IP Address.

The frequency of NTP reflection attacks has grown in recent months. While researchers have long-predicted that NTP might someday become a great vector for DDoS attacks and ideal DDoS tool, and the trend has recently become popular, causing an issue for some gaming websites and service provider.

Recently, The US-CERT issued an alert warning, listed certain UDP protocols identified as potential attack vectors for Amplification Attack, including DNS, NTP, SNMPv2, NetBIOS, SSDP ,CharGEN, QOTD, BitTorrent, Kad, Quake Network and Protocol Steam Protocol.

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publicly accessible to at least 4.2.7. Until all the misconfigured NTP servers are cleaned up, attacks of this nature will continue.
Update: The CloudFlare team has released more technical details on the above 400Gbps NTP amplification DDoS Attack. Hackers abused 4295 vulnerable NTP server, running on 1,298 different networks.
The Spoofed UDP packet was amplified 206-times larger than the request by exploiting MONLIST command  vulnerability on open ntpd servers. "An attacker with a 1Gbps connection can theoretically generate more than 200Gbps of DDoS traffic."

 

 

 

 That means, Just by using 2Gbps Internet Connection and exploiting 4,529 NTP servers, Hacker DDoSed websites with 400Gbps bandwidth. "On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network." they said.

CloudFlare has also release a list of all Networks with Naughty NTP Servers Used in DDoS Attack, rather than publishing the complete list of IP addresses. ,"At this time, we've decided not to publish the full list of the IP addresses of the NTP servers involved in the attack out of concern that it could give even more attackers access to a powerful weapon."

 

 

Source: THN