A distributed-denial-of-service
(DDoS) attack on Monday reached more than 400Gbps at its peak. This is about 33
percent greater than the Spamhaus attack last year, which was the previous DDoS
record holder. This massive attack exploited key vulnerabilities in the
infrastructure of the Internet and has been called the “start of ugly things to
come.”
Online
security specialists Cloudfare said this attack was the biggest of its
kind, reported the BBC.
In this particular attack hackers utilized weaknesses in
the Network Time Protocol (NTP), a system that is used to synchronize computer
clocks. Through this vulnerability hackers were able to flood servers with huge amounts of data
and security experts warn that this technique could be used to force popular
services offline.
The attack appeared to have been directed at a specific
customer of content delivery network and security provider CloudFlare, which
first reported the attack.
“Very big NTP reflection attack hitting us right now.
Appears to be bigger than the #Spamhaus attack from last year. Mitigating,”
Cloudflare CEO Matthew Price said via Twitter. “Someone’s got a big, new
cannon. Start of ugly things to come.”
NTP servers are designed to keep computers
synchronized to the same time, and the fundamentals of this protocol date
back to 1985 when NTP began operating. Despite updates to the system it still
operates much as it had since it first went online. Computers need to
synchronize time via NTP by sending small amount of data to make a request,
which then results in a reply that sends data back.
There reportedly exists a significant vulnerability in
that the amount of the data that NTP sends back is larger than that which it
receives. Thus any attack is instantly amplified, but the other problem is that
the original computer’s location could be “spoofed,” which could trick the NTP
into sending the information back to somewhere else.
This could result in an amplification attack, which
CloudFare explained in a blog post in early January: “Amplification attacks
like that result in an attacker turning a small amount of bandwidth coming from
a small number of machines into a massive traffic load hitting a victim from
around the Internet. Until recently the most popular protocol for amplification
attacks was DNS: a small DNS query looking up the IP address of a domain name
would result in a large reply.”
CloudFare did not identify the specific customers
targeted in the attack, but Cnet reported that Price said it was directed at
servers in Europe and that “these NTP reflection attacks are getting really
nasty.”
Cnet also reported that the frequency of NTP reflection
attacks has grown in recent months and that a recent NTP attack was used to
take down game servers hosting EA’s Origin, Blizzard’s Battle.net and League of
Legends, amongst others.
US-CERT had issued a warning to companies about the
growing popularity of this specific threat.
“Due to the spoofed source address, when the NTP server
sends the response it is sent instead to the victim,” CERT warned. “Because the
size of the response is typically considerably larger than the request, the
attacker is able to amplify the volume of traffic directed at the victim.”
CloudFare warned of impending NTP attacks in a report
published last October and it detailed how web hosts could best work to protect
customers.
CloudFare offers services that protect websites and users
by placing an extra layer of digital defense between the sites and its
customers and this includes the caching of sites to allow visitors to have
their web content loaded more quickly. Its services are so popular and deliver
so many page views per month that if it were an actual website it would be the
10th largest in the world.
However, last year CloudFare suffered a server crash that
resulted in more than 785,000 websites experiencing an outage.
0 comments:
Post a Comment