A massive DDoS attack hit EU- and US-based servers, with security companies reporting it to be even more powerful than last year’s Spamhaus attacks. While the method of the attack was not new, CloudFlare warned there are “ugly things to come.”
Only scant details about the attack were released by US-based web
performance and security firm CloudFlare, which fought back
against the distributed denial of service (DDoS) attack early
Tuesday.
According to CloudFlare CEO Matthew Prince, the attack reached
400 gigabits per second in power – some 100Gbps higher than the
notorious Spamhaus cyber-assault of March 2013 that at the time
was branded the largest-ever attack in the history of the
internet.
“[It was] very big. Larger than the Spamhaus attack from last
year… Hitting our network globally but no big customer impact
outside of Europe,” Prince was quoted as saying by
TechWeekEurope blog.
Prince said one customer was initially targeted by the attack,
but added that he would not disclose the customer’s identity.
Mitigating a large attack hitting much of the EU
— CloudFlareStatus (@CloudFlareSys) February 10, 2014
Continuing to work through attack, also affecting some of the US
— CloudFlareStatus (@CloudFlareSys) February 10, 2014
The company spent several hours mitigating the attack, but said
that the European network was largely unaffected. When helping to
deal with the massive cyberwar on Spamhaus last year, CloudFlare
claimed it slowed down the entire World Wide Web, which prompted
critics to dub the company’s part a “PR stunt
effort.”
CloudFlare had some spooky statement to offer its customers this
time as well. According to Prince, the latest attack has shown
someone has got “a big, new cannon,” and it could be a
“start of ugly things to come.”
French hosting firm OVH also reported being hit by an attack of
more than 350Gbps in strength, but it was not clear whether it
was the same attack CloudFlare experienced.
@noone1337@olesovhcom someone's got a big, new cannon. Start of ugly things to come.
— Matthew Prince (@eastdakota) February 11, 2014
The technique used by Monday’s attackers was not exactly new, as
they exploited the Network Time Protocol (NTP) used to
synchronize clocks on computer systems. A weakness in the
protocol allows querying an NTP server about connected clients
and their traffic counts. If made en masse, such requests can
generate an overwhelmingly large traffic, bringing down the
target just like a typical DDoS attack would do.
What makes the recent attacks worse is the so-called
“spoofing” of IP addresses of attackers, making it look
as if the victim is actually generating those spam requests. The
number of trash requests also skyrockets by “large”
replies thrown back at the target from a number of servers
“compromised” in the attack. For this reason, such
tactics are often referred to as an “reflection and
amplification” attack.
Back in January, the US Computer Emergency Readiness Team
(US-CERT) issued a warning about such NTP amplification attacks
after a number of prominent gaming services were brought down by
them in December, including Steam, League of Legends and
Battle.net.
While CloudFlare in its warning urged server administrators to
patch and upgrade their NTP servers to solve the issue, it
appears that few have since bothered to carry out these security
measures.