CloudFlare fights off massive NTP reflection DDoS attack

Share this article:
CloudFlare spent the last few days battling a massive NTP reflection DDoS attack.
CloudFlare spent the last few days battling a massive NTP reflection DDoS attack.

CloudFlare – a group that enhances website performance and defense – spent the last few days battling a massive distributed denial-of-service (DDoS) attack that the company said is larger than the Spamhaus attack.

The DDoS experts with CloudFlare first began seeing attacks of increasing size over the last 72 hours, Matthew Prince, CEO of CloudFlare, told SCMagazine.com in a Tuesday email correspondence. He said the attacks peaked for a few hours on Monday afternoon, PST.

“We're still gathering data from our upstream providers, but it appears the attack peaked just shy of 400 [gigabytes per second],” Prince said, explaining he could not reveal the particular CloudFlare customer being targeted in the attack.

CloudFlare is continuously and simultaneously seeing large DDoS attacks against its network, making it challenging for researchers to pin down exactly how long this particular attack lasted, Prince said.

“The attack was quite distributed and we saw traffic from it across all of CloudFlare's global data centers,” Prince said. “The outward effects of the attack were most felt in Europe where we saw increased congestion [slowness] on our network.”

The attack was larger than the Spamhaus attack that took place in March 2013, but perhaps not the largest observed by CloudFlare, according to Prince, who explained that the attack was also notable for being a NTP reflection attack – a type of DDoS attack gaining popularity in 2014.

NTP stands for Network Time Protocol, which computers use to set clocks accurately, and an NTP reflection attack involves sending large amounts of data based on short requests, according to a blog post by John Graham-Cumming, a programmer with CloudFlare.

“An attacker, armed with a list of open NTP servers on the Internet, can easily pull off a DDoS attack using NTP,” Graham-Cumming wrote, explaining there are a number of tools – including Metasploit and NMAP – for identifying NTP servers, as well as the Open NTP Project.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.