400 Gbps DDoS attack on Monday smashes Spamhaus DDoS record

// February 11th, 2014 // Hacking and Security



CloudFlare announced late last night that a 400 Gbps DDoS attack against an unnamed entity, smashed the record set last year during the Spamhaus incident in which a sustained 300 Gbps attack was launched against a European organization who maintains a blacklist of spam-related ISPs.  Effects from the attack were especially strong in Europe which caused slowdowns and related problems for ISPs.  At the same time, French hosting outfit OVH also reported fending off an attack running at over 350Gbps, though of course it’s impossible to say whether the same attacker was responsible.

DDoS attacks target servers with more data packets than their switches can handle.  In both the Spamhaus and yesterday’s attacks, a “reflection and amplification” method was used to hammer the targets.  In a RaA attack, the attacker spoofs the IP address of the target before sending DNS queries (e.g. what’s the IP address for X website) to a server in order to elicit a flood of DNS responses from the server to the entity being attacked (i.e. DNS responses are sent to the spoofed IP address).  The “amplification” effect comes from the amplified response from the DNS servers while answering the smaller request packet the hackers sent to it.  In the Spamhuas attack, incorrectly configured DNS servers were utilizied.  In yesterday’s attack, NTP (network time protocol, UDP port 123) servers were used instead.

According to CloudFlare:

“Unfortunately, the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long reply to a short request. That makes it ideal as a DDoS tool.

NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack.”

Properly secured and configured NTP servers will mitigate the problem.

Geek wear at Ivy and Pearl Boutique

« « Previous Article: Straight out of Dr. Suess – a fish tank that lets the fish drive around on wheels     » » Next Article: As if they weren’t terrifying enough – researchers find alligators perched in trees!

Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: