Attackers use Network Time Protocol for denial exploit

Feb 12, 2014 by Nancy Owano weblog

(Phys.org) —Reports are calling it the world's most massive distributed denial-of-service (DDoS) attack ever, referring to this week's report about a massive exploit making use of the Network Time Protocol (NTP), which is used to synchronize computer clock times. But how is this the largest such attack? According to reports, measuring an attack's severity in gigabits, the recent incident was over 400 Gbps. That exceeds the Spamhaus exploit, last year's record-breaker, which at its peak was generating 300 Gbps of traffic. Spamhaus, based in Geneva, Switzerland and London, tracks spam services and spam senders. The attack on Spamhaus involved misconfigured Domain Name System (DNS) servers. The servers are used to translate typed Web and email addresses into numerical addresses. Reports said the attack affected mostly users in Europe and some parts of Asia.

A is launched in order to overwhelm web services by flooding them with requests for data. All that data traffic overwhelms the company's , preventing other Internet users to make their connections, as the servers have more data packets than their switches can handle. IDG News Service's Lucian Constantin pointed out that the NTP is but one of several protocols that can be used by attackers in DDoS attacks—the other two being the DNS and SNMP (Simple Network Management Protocol). He added that "The new attack Monday used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders."

The attack was revealed on Twitter by Matthew Prince, CloudFlare's CEO. "Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating," said Price. The attack was directed at a CloudFlare user but Prince did not disclose details about the affected customer.

CloudFlare is a web performance and security company that provides DDoS mitigation services. The company's blogpost in January had focused on the attack method used earlier this week. John Graham Cumming, programmer, wrote: "We'd long thought that NTP might become a vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. Unfortunately, that prediction has come true."

Unfortunately, added Cumming, the NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address; at least one of its built in commands will send a long reply to a short request. "That makes it ideal as a DDoS tool." He further noted how NTP has a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. "It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack."

Explore further: Man pleads guilty in New York cybercrime case

More information: blog.cloudflare.com/understand… p-based-ddos-attacks

Related Stories

Answers to your questions about massive cyberattack

Mar 29, 2013

Here are some answers to questions about perhaps the biggest cyberattack ever, which recently targeted Spamhaus, an anti-spam group based in Geneva and London. It ended up slowing down or blocking access to numerous Interne ...

Dutchman appears for 'biggest ever' cyberattack

May 08, 2013

A Dutchman arrested in Spain last month in connection with an unprecedented cyberattack that reportedly slowed down the Internet, has been extradited to the Netherlands where he appeared before a judge on ...

Hackers attack top Czech news websites

Mar 04, 2013

Hackers attacked several top Czech news websites on Monday, overloading them with hundreds of thousands of requests per second to make them inaccessible, publishers said.

Recommended for you

Man pleads guilty in New York cybercrime case

20 hours ago

A California man has pleaded guilty in New York City for his role marketing malware that federal authorities say infected more than a half-million computers worldwide.

How to keep the world's eyes out of your webcam

Nov 21, 2014

There are concerns that thousands of private webcams around the world could be streaming live images to anybody who wishes to view them – without their owner knowing – thanks to a Russian website provi ...

Britain urges Russia to shut down webcam spying site

Nov 20, 2014

A Russian website offering thousands of live feeds peering into bedrooms and offices around the world by accessing poorly secured webcams should be taken down immediately, British officials said on Thursday.

NSA Director: China can damage US power grid

Nov 20, 2014

China and "one or two" other countries are capable of mounting cyberattacks to shut down the electric grid in parts of the United States. That's according to Admiral Michael Rogers, the director of the National Security Agency ...

Some in NSA warned of a backlash

Nov 20, 2014

Current and former intelligence officials say dissenters within the National Security Agency warned in 2009 that secretly collecting American phone records wasn't providing enough intelligence to justify ...

Russia hacking site spying webcams worldwide: Britain

Nov 20, 2014

Britain's privacy watchdog on Thursday called on Russia to take down a site showing hacked live feeds from thousands of homes and businesses around the world and warned it was planning "regulatory action".

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.