Incident Response, TDR, Threat Management

DDoS attacks against NATO likely DNS amplification or NTP reflection, expert suggests

A distributed denial-of-service (DDoS) attack carried out against various NATO websites on Sunday was likely a Domain Name Server (DNS) amplification attack or a Network Time Protocol (NTP) reflection attack – or possibly some combination of both – according to a DDoS expert.

Matthew Prince, CEO of CloudFlare, a website defense company that fought off a massive DDoS attack in February that peaked just shy of 400 gigabytes per second, told on Monday that DNS reflection and NTP reflection attacks have enough power to knock out NATO websites – including the main site,

“It's not highly sophisticated; it's simple, but it's effective,” Prince said, adding these types of attacks are on the rise. “This is, at its simplest level, just about filling a pipe with requests that makes it so the routers themselves become unusable.”

Oanu Lungescu, spokesperson with NATO, posted to Twitter on Sunday that DDoS attacks were being carried out against NATO websites, but that the integrity of NATO data, systems and operations were not affected.

Prince said this seems to be the case and that only informational websites were hit. He explained that organizations similar to NATO typically have networks, for high priority operations, that are not traditionally connected to the rest of the internet and are less likely to be impacted by conventional means.

“We don't know specifics, but assuming it's a volume DDoS attack, that should not create any risk of sensitive data somehow being revealed or disclosed,” Prince said. “There have been examples where DDoS has been used as a distraction while other hacking is going on, but it's less likely. My hunch is that [it's political].”

The group claiming responsibility for the attacks is known as “Cyber Berkut” and, on a message posted to its website in Russian and translated using Google, said it is against a NATO presence in Ukraine. The ongoing controversy involves Crimea, a republic in southwest Ukraine.

Because these types of attacks can be carried out so easily, Prince said it is hard to tell if this is a professional state-sponsored attack or just a single individual on a single laptop that has a gripe against NATO. He added that the ultimate goal is likely to get attention, and in that sense, it was a success.

“I think if there was one thing to take away from this, it is for people to check and make sure they are not running vulnerable systems that can be used to attack other systems,” Prince said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.