NTP-based DDoS attacks a concern, says Cloudflare

Security firm Cloudflare says it spotted and stopped a massive DDoS attack that exploited a vulnerability in the infrastructure of the internet

Security firm Cloudflare says it has spotted and stopped a massive distributed denial of service (DDoS) attack that exploited a vulnerability in the infrastructure of the internet.

The firm said the target was unclear, but the attack was the biggest of its kind, measuring about 400Gbps, about 100Gbps greater than the previous record attack on Spamhaus.

This emerging type of DDoS attack floods servers with huge amounts of data, exploiting weaknesses in the system used to synchronise computer clocks. the Network Time Protocol (NTP).

To synchronise, a computer sends a request to the NTP, which replies with the synchronisation data.

But the vulnerability lies in the fact that the amount of data the NTP sends back is bigger than the amount it receives.

According to Cloudfare, NTP contains a command called monlist which can be sent to an NTP server for monitoring purposes.

But it returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent, making it ideal for an amplification attack.

Another problem is that the attacking computer's location can also be "spoofed", tricking the NTP into sending the request response to a target computer.

Cloudfare believes that, in this week’s attack, many computers were used to make requests to the NTP but, by spoofing the location of these computers, attackers directed very large amounts of data from the NTP to a single target.

"Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the internet," Cloudfare said in a blog on the NTP vulnerability and basic protection measures posted in January 2104.

The Network Time Protocol – like many other essential protocols that ensure the smooth running of the internet – is not secure, because they it was designed and implemented without considering security.

"A lot of these protocols are essential, but they're not secure," Alan Woodward, an independent cyber-security consultant, told the BBC.

He said the only real option for businesses is to deploy systems that mitigate DDoS attacks by shutting down connections when a large amount of data is heading for one destination.

Cloudfare said that, while it was able to mitigate this week’s massive NTD-based DDoS attack, it was a worrying sign of things to come.

Ashley Stephenson, CEO of Corero Network Security, said this  record-setting attack is certainly cause for concern, but is not likely to hold the title of "largest DDoS attack" for long.

“DDoS attack motivations are wide-ranging and unpredictable, meanwhile attack tools and the sophistication of the attacks continue to evolve. It’s a volatile combination that can strike any Internet business at any moment,” he said.

According to Stephenson, there is a growing expectation that internet service providers should do more to protect their customers from these attacks by enhancing their network infrastructure and services with an additional layer of security.

“This extra layer needs to be able to inspect and detect malicious traffic closer to the source before it converges on the intended DDoS victim – who is frequently one of their own customers,” he said.

Read more on Hackers and cybercrime prevention