Attackers use NTP reflection in huge DDoS attack

The attack peaked at over 400Gbps according to CloudFlare, the company whose infrastructure was targeted

By Lucian Constantin, IDG News Service |  Networking

"I would suspect they were likely related due to the similar timing and scale," Prince said. "However, I don't have direct evidence of that."

OVH did not immediately respond to a request for comment.

NTP is just one of several protocols that and can be abused to amplify DDoS attacks. Two others are DNS (Domain Name System) and SNMP (Simple Network Management Protocol).

What these protocols have in common is that they allow a relatively small query to generate a large response and are vulnerable to source IP spoofing if certain precautions are not taken because they work over UDP (User Datagram Protocol).

Instead of hitting a target's IP address directly with traffic generated by a botnet with a combined bandwidth of, say, 10Gbps, attackers could use the botnet to send spoofed queries to a list of open DNS or NTP servers. Those queries could be crafted to appear as if they came from the victim's IP address and could trigger large responses from those servers to that address.

In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.

DNS reflection was commonly used in DDoS attacks last year, including in the attack against Spamhaus, prompting calls from Internet infrastructure groups and security researchers to organizations to identify and secure their DNS servers against this type of abuse.

SNMP reflection attacks are relatively rare, because the protocol is usually used with authentication and there are few open SNMP servers on the Internet, CloudFlare said in its January blog post.

However, NTP servers that are vulnerable to reflection attacks are apparently not that rare and attackers have caught on to this. NTP servers are used by computers and other devices to synchronize their clocks so many of them are publicly accessible.

Security vendor Symantec reported in December that it observed a spike in the number of NTP reflection attacks. Then in early January the same technique was used to attack online gaming servers.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question
randomness