NTP Amplification Blamed for 400 Gbps DDoS Attack

Hackers used NTP amplification to launch a DDoS attack that topped out at 400 Gbps against an unnamed European organization, 100 Gbps larger than the Spamhaus attack.

For those of you who thought the infamous Spamhaus distributed denial-of-service attack set an ugly bar for the volume of spurious traffic sent at a target, gird yourself for worse.

A massive DDoS attack, reaching at its peak 400 Gbps of bad traffic, was detected late yesterday against a number of servers in Europe, according to traffic optimization firm CloudFlare. CEO Matthew Prince tweeted several times with scant details about the attack against an unnamed customer.

“Someone’s got a big new cannon,” Prince said. “Start of ugly things to come.”

The peak of the attack surpassed the Spamhaus DDoS attacks of last March, which topped out at 300 Gbps, which at the time were three times the size of DDoS attacks carried out against leading U.S. banks and financial services institutions.

The attackers took advantage of weaknesses in a core piece of Internet infrastructure known as Network Time Protocol (NTP) to amplify the volume of attacks.

US-CERT issued an advisory in January warning companies that hackers were exploiting NTP vulnerabilities to flood networks with UDP traffic. NTP servers are publicly available machines used to synchronize computer clocks.

Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists are a classic set-and-forget feature and is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

Attackers are able to query NTP servers for traffic counts using the victim’s spoofed source address. In return, the response is much larger than the original request, and with enough vulnerable NTP servers returning requests, a website and/or services are quickly overrun with traffic.

“Because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks,” US-CERT said in its January advisory where it also advised that webhosts either disable the monlist feature, or upgrade their NTP servers to version 4.2.7 which disables the feature.

These types of high-volume attacks, whether related to NTP or open DNS resolvers, have impacted numerous industries from gaming to manufacturing to financial services. Experts say enterprises are deploying better defenses to shield themselves and critical services from DDoS attacks, which could be one reason for the volume increase. Another could be that attackers are going overboard with hundreds of Gbps to distract from their real goal which could be financial fraud or intellectual property theft.

Arbor Networks’ most recent Worldwide Infrastructure Security Report indicates far more of these volumetric attacks were reported than in past years, but they are still outliers. Yet successful temporary takedowns of large banks and high-profile organizations such as Spamhaus and others prove to the underground that techniques such as NTP amplification attacks and the use of open DNS resolvers have merit.

“Spamhaus made people aware of the threat of reflection amplification attacks. It does appear attackers have learned to leverage the infrastructure available on the Internet  to help them in attacks,” Arbor Networks’ Darren Anstee said.

Arbor’s report also said that few companies have security staff dedicated to infrastructure such as DNS and locking down those and related services. Coupled with the availability of open DNS resolvers, that presents a problem for high-value targets.

“If you’ve got open DNS resolvers you can use and if you’ve got a botnet that can generate a good volume of traffic and point it at a list of open DNS resolvers, you can use those resolvers to amplify the capabilities you have for your botnet,” Anstee said, adding that attackers can get a 30x improvement with amplification in some cases. “Unfortunately, it’s not that hard; the know-how is available.”

Suggested articles