400Gbps NTP-based DDoS attack hits Cloudflare
Posted on 12 February 2014.
Matthew Prince, CEO of content delivery network Cloudflare, has confirmed on Twitter on Monday that one of its customers was being targeted with a very big Network Time Protocol (NTP) reflection attack - "bigger that the Spamhaus attack from last year."


He didn't name the customer, but he has shared that the attack reached the level of over 400 gigabits per second, that it probably caused congestion on some peering exchanges (mostly in Europe), that (based on sampled data) it misused just over 4,500 misconfigured NTP servers, and that the customer initially wanted to pay with a stolen credit card.

Despite the recommendation issued by US-CERT about updating public-facing NTP servers to a ntpd version that doesn't allow attackers to use them for NTP amplification attacks, there are still many vulnerable ones out there.

"The attack relies on the exploitation of the 'monlist' feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim," explains US-CERT.

"Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks."

The victim is effectively hit with a big DDoS attack.

Server administrators can either disable "monlist” within the NTP server or upgrade to the latest NTP version (4.2.7) that does the same thing. If you want to know whether your server(s) are vulnerable, you can use this simple online tool.

For more details about how a NTP-based DDoS attacks works, check out Cloudflare's blog post from earlier this year.









Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //