CloudFlare fights off massive NTP reflection DDoS attack

Share this article:
CloudFlare spent the last few days battling a massive NTP reflection DDoS attack.
CloudFlare spent the last few days battling a massive NTP reflection DDoS attack.

CloudFlare – a group that enhances website performance and defense – spent the last few days battling a massive distributed denial-of-service (DDoS) attack that the company said is larger than the Spamhaus attack.

The DDoS experts with CloudFlare first began seeing attacks of increasing size over the last 72 hours, Matthew Prince, CEO of CloudFlare, told SCMagazine.com in a Tuesday email correspondence. He said the attacks peaked for a few hours on Monday afternoon, PST.

“We're still gathering data from our upstream providers, but it appears the attack peaked just shy of 400 [gigabytes per second],” Prince said, explaining he could not reveal the particular CloudFlare customer being targeted in the attack.

CloudFlare is continuously and simultaneously seeing large DDoS attacks against its network, making it challenging for researchers to pin down exactly how long this particular attack lasted, Prince said.

“The attack was quite distributed and we saw traffic from it across all of CloudFlare's global data centers,” Prince said. “The outward effects of the attack were most felt in Europe where we saw increased congestion [slowness] on our network.”

The attack was larger than the Spamhaus attack that took place in March 2013, but perhaps not the largest observed by CloudFlare, according to Prince, who explained that the attack was also notable for being a NTP reflection attack – a type of DDoS attack gaining popularity in 2014.

NTP stands for Network Time Protocol, which computers use to set clocks accurately, and an NTP reflection attack involves sending large amounts of data based on short requests, according to a blog post by John Graham-Cumming, a programmer with CloudFlare.

“An attacker, armed with a list of open NTP servers on the Internet, can easily pull off a DDoS attack using NTP,” Graham-Cumming wrote, explaining there are a number of tools – including Metasploit and NMAP – for identifying NTP servers, as well as the Open NTP Project.

Share this article:

Sign up to our newsletters

More in News

New backdoor 'Baccamun' spreads through ActiveX exploit

Symantec researchers revealed that the backdoor is dropped after attackers exploit a Windows ActiveX vulnerability.

Outdated browsers put U.K. users at risk of malware

A blog post on Check and Secure website said 70 percent of U.K. users haven't fully updated their internet browsers

Survey: 53 percent change privileged logins quarterly

A Lieberman Software survey highlights the issue or poor password management, even among security pros.