Largest Ever 400Gbps DDoS Attack Hits Europe Uses NTP Amplification

Do you like this story?

The Distributed Denial of Service (DDoS) attack is the one of favorite weapon for the hackers to temporarily suspend services of a host connected to the Internet and till now nearly every big site had been a victim of this attack.

Since 2013, Hackers have adopted new tactics to boost Distributed Denial of Service attack sizes, which is known as ‘Amplification Attack’, that provide the benefits of obscuring the source of the attack, while enabling the bandwidth to be used to multiply the size of the attack.

Just yesterday, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm Cloudfare, reaching more than 400Gbps at its peak of traffic, striking at the company’s data servers in Europe.

“Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating,” Cloudflare CEO Matthew Price said in a tweet. “Someone’s got a big, new cannon. Start of ugly things to come,”

This massive DDoS attack was greater than ever in history of the Internet, and larger than previous DDoS record-holder Spamhaus DDoS attack i.e. 300Gbps, that almost broke the Internet.

Attackers leveraged weaknesses in the Network Time Protocol (NTP), which is used to synchronize computer clocks, but hackers are abusing the NTP servers by sending small spoofed 8-byte UDP packets to the vulnerable server that requests a large amount of data (megabytes worth of traffic) to be sent to the DDoS's target IP Address.

The frequency of NTP reflection attacks has grown in recent months. While researchers have long-predicted that NTP might someday become a great vector for DDoS attacks and ideal DDoS tool, and the trend has recently become popular, causing an issue for some gaming websites and service provider.

Recently, The US-CERT issued an alert warning, listed certain UDP protocols identified as potential attack vectors for Amplification Attack, including DNS, NTP, SNMPv2, NetBIOS, SSDP ,CharGEN, QOTD, BitTorrent, Kad, Quake Network and Protocol Steam Protocol.

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. Until all the misconfigured NTP servers are cleaned up, attacks of this nature will continue.