400Gbps NTP-based DDoS attack hits Cloudflare
Posted on 12 February 2014.
Matthew Prince, CEO of content delivery network Cloudflare, has confirmed on Twitter on Monday that one of its customers was being targeted with a very big Network Time Protocol (NTP) reflection attack - "bigger that the Spamhaus attack from last year."


He didn't name the customer, but he has shared that the attack reached the level of over 400 gigabits per second, that it probably caused congestion on some peering exchanges (mostly in Europe), that (based on sampled data) it misused just over 4,500 misconfigured NTP servers, and that the customer initially wanted to pay with a stolen credit card.

Despite the recommendation issued by US-CERT about updating public-facing NTP servers to a ntpd version that doesn't allow attackers to use them for NTP amplification attacks, there are still many vulnerable ones out there.

"The attack relies on the exploitation of the 'monlist' feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim," explains US-CERT.

"Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks."

The victim is effectively hit with a big DDoS attack.

Server administrators can either disable "monlist” within the NTP server or upgrade to the latest NTP version (4.2.7) that does the same thing. If you want to know whether your server(s) are vulnerable, you can use this simple online tool.

For more details about how a NTP-based DDoS attacks works, check out Cloudflare's blog post from earlier this year.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //