CloudFlare Hit with 400Gbps NTP Amplification Attack
CloudFlare & Arbor Networks have both reported the attack against a CloudFlare hosted website reached a peak of between 325Gbps & 400Gbps. Previously the largest ever recorded DDoS attack has been against SpamHaus with 300Gbps.
In a statement released by CloudFlare, they explain their idea on how many systems the attack used to create such a large attack, and the numbers may actually shock you.
“Monday’s DDoS proved these attacks aren’t just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks. On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare’s network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests.” – CloudFlare Blog
NTP Amplification attacks have become popular since the attacks against EA Games, Battle.Net, and the like, in December 2013. Multiple efforts have been made by US-CERT, the Open NTP Project, and my research team to try to take measures against these attack vectors. Less than a week ago, I explained how a group I’m involved with alerted systems administrators of vulnerable NTP servers on their network, with the purpose of shutting down a good chunk of the attack vector. While many of the companies have gotten back to me by now, several are still receiving more emails as more attack logs come in for analysis. At the moment I am re-scanning hosts which have been previously abused in attempt to find out how many have since been patched. The goal is that at least 30-50% will have been patched by now, I have definitely received enough replies to say that is a safe estimate of the roughly 3,000 servers we have reported.
If the campaign is over-all successful, our team is considering releasing the code to the public, so that everyone has the capability of monitoring & reporting NTP amplification attacks. By mid-2014 NTP Amplification attacks should not be a problem. But only with the help of administrators can we make that dream come true. If you or your company run NTP servers, please check the Open NTP Project home page to see what you can do to help out.