Incident Response, TDR

CloudFlare fights off massive NTP reflection DDoS attack

CloudFlare – a group that enhances website performance and defense – spent the last few days battling a massive distributed denial-of-service (DDoS) attack that the company said is larger than the Spamhaus attack.

The DDoS experts with CloudFlare first began seeing attacks of increasing size over the last 72 hours, Matthew Prince, CEO of CloudFlare, told SCMagazine.com in a Tuesday email correspondence. He said the attacks peaked for a few hours on Monday afternoon, PST.

“We're still gathering data from our upstream providers, but it appears the attack peaked just shy of 400 [gigabytes per second],” Prince said, explaining he could not reveal the particular CloudFlare customer being targeted in the attack.

CloudFlare is continuously and simultaneously seeing large DDoS attacks against its network, making it challenging for researchers to pin down exactly how long this particular attack lasted, Prince said.

“The attack was quite distributed and we saw traffic from it across all of CloudFlare's global data centers,” Prince said. “The outward effects of the attack were most felt in Europe where we saw increased congestion [slowness] on our network.”

The attack was larger than the Spamhaus attack that took place in March 2013, but perhaps not the largest observed by CloudFlare, according to Prince, who explained that the attack was also notable for being a NTP reflection attack – a type of DDoS attack gaining popularity in 2014.

NTP stands for Network Time Protocol, which computers use to set clocks accurately, and an NTP reflection attack involves sending large amounts of data based on short requests, according to a blog post by John Graham-Cumming, a programmer with CloudFlare.

“An attacker, armed with a list of open NTP servers on the Internet, can easily pull off a DDoS attack using NTP,” Graham-Cumming wrote, explaining there are a number of tools – including Metasploit and NMAP – for identifying NTP servers, as well as the Open NTP Project.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.