Attackers use Network Time Protocol for denial exploit

Feb 12, 2014 by Nancy Owano weblog

(Phys.org) —Reports are calling it the world's most massive distributed denial-of-service (DDoS) attack ever, referring to this week's report about a massive exploit making use of the Network Time Protocol (NTP), which is used to synchronize computer clock times. But how is this the largest such attack? According to reports, measuring an attack's severity in gigabits, the recent incident was over 400 Gbps. That exceeds the Spamhaus exploit, last year's record-breaker, which at its peak was generating 300 Gbps of traffic. Spamhaus, based in Geneva, Switzerland and London, tracks spam services and spam senders. The attack on Spamhaus involved misconfigured Domain Name System (DNS) servers. The servers are used to translate typed Web and email addresses into numerical addresses. Reports said the attack affected mostly users in Europe and some parts of Asia.

A is launched in order to overwhelm web services by flooding them with requests for data. All that data traffic overwhelms the company's , preventing other Internet users to make their connections, as the servers have more data packets than their switches can handle. IDG News Service's Lucian Constantin pointed out that the NTP is but one of several protocols that can be used by attackers in DDoS attacks—the other two being the DNS and SNMP (Simple Network Management Protocol). He added that "The new attack Monday used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders."

The attack was revealed on Twitter by Matthew Prince, CloudFlare's CEO. "Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating," said Price. The attack was directed at a CloudFlare user but Prince did not disclose details about the affected customer.

CloudFlare is a web performance and security company that provides DDoS mitigation services. The company's blogpost in January had focused on the attack method used earlier this week. John Graham Cumming, programmer, wrote: "We'd long thought that NTP might become a vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. Unfortunately, that prediction has come true."

Unfortunately, added Cumming, the NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address; at least one of its built in commands will send a long reply to a short request. "That makes it ideal as a DDoS tool." He further noted how NTP has a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. "It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack."

Explore further: Google announces 'Project Shield' help small sites ward off DDoS attacks

More information: blog.cloudflare.com/understand… p-based-ddos-attacks

Related Stories

Answers to your questions about massive cyberattack

Mar 29, 2013

Here are some answers to questions about perhaps the biggest cyberattack ever, which recently targeted Spamhaus, an anti-spam group based in Geneva and London. It ended up slowing down or blocking access to numerous Interne ...

Dutchman appears for 'biggest ever' cyberattack

May 08, 2013

A Dutchman arrested in Spain last month in connection with an unprecedented cyberattack that reportedly slowed down the Internet, has been extradited to the Netherlands where he appeared before a judge on ...

Hackers attack top Czech news websites

Mar 04, 2013

Hackers attacked several top Czech news websites on Monday, overloading them with hundreds of thousands of requests per second to make them inaccessible, publishers said.

Recommended for you

China blocks 'privacy' search engine DuckDuckGo

20 hours ago

China has begun blocking the privacy-protecting search engine DuckDuckGo, which avoids storing user data or tracking online activity, according to the company and security researchers.

FBI widens probe of naked celebrity photos

21 hours ago

The FBI vowed Monday to widen a probe into the massive hacking of naked celebrity photos if necessary, after new reported leaks including nude shots of Kim Kardashian.

New ZEBRA bracelet strengthens computer security

Sep 22, 2014

In a big step for securing critical information systems, such as medical records in clinical settings, Dartmouth College researchers have created a new approach to computer security that authenticates users ...

CloudFlare tackles lost SSL key risk with Keyless SSL

Sep 19, 2014

Organizations looking for and concerned about optimal security protection are the targets of a new service announced by San Francisco-based CloudFlare. The offering is called Keyless SSL. CloudFlare explained ...

When does Google hand over your data to governments?

Sep 19, 2014

Governments around the world want to know a lot about who we are and what we're doing online and they want communications companies to help them find it. We don't know a lot about when companies hand over ...

User comments : 0