Attackers exploiting a weakness in the Network Time Protocol launched a DDoS attack the volume of which outstripped last year’s huge attack against SpamHaus.
It’s becoming a depressingly familiar story for web hosting providers. Last year we were all surprised by the size and ferocity of distributed denial of service attacks, which had grown to unprecedented volumes. It looks like the trend will continue through 2014, with the year’s first really large attack being revealed by the CloudFlare DDoS mitigation service. Last year’s SpamHaus attack, which used a DNS amplification method, peaked at data volumes of 300 Gbps. Last week’s attack hit highs of 400 Gbps.
In order to generate such huge amounts of data, hackers need to find a way to amplify their available bandwidth. No hacker has access to bandwidth capable of producing and directing such a prodigious flow of data at their target.
Last year’s attacks favored the Domain Name System as the amplification mechanism — by making a request that sends a small amount of data to a DNS server, attackers were able to have the server produce a much larger amount of data in response. The attackers spoofed the source of the initial request, causing the DNS server to send the response to the target of the DDoS attack, rather than the server that had originated the request.
This year’s attacks work the same way. The Network Time Protocol is used for syncing the clocks of computers on the Internet, usually with a very accurate reference clock. Many organizations — including ISPs — run NTP servers, which means that there are many thousands of NTP servers on the net.
One of the features that NTP servers make available to clients is the monlist command. When sent a monlist request, an NTP server will respond with a list of the IP addresses of last 600 machines that it interacted with. The initial monlist request is small, the response is proportionately much larger.
According to John Graham-Cumming of CloudFlare:
“A busy server that responded with the maximum 600 addresses would send 100 packets for a total of over 48k in response to just 234 bytes. That’s an amplification factor of 206x!”
Because attackers are sending spoofed requests, which appear to the NTP server to originate from the victim’s IP address, that’s where the responses are sent, allowing the attacker to generate massively more data than they would otherwise be able to.
If you’re running an NTP server that you’re worried may be vulnerable to being used in an amplification attack, you can use the free Open NTP Project to scan an IP space to find out for sure. NTP version 4.2.7 and older are not vulnerable, so the best course of action is to upgrade if you’re running an open NTP server.