CloudFlare, the cloud services firm that earlier this week claimed to have mitigated the largest ever distributed denial of service (DDoS) attack, has given more details about the attack and warned there could be worse to come.
In a blog CloudFlare CEO Matthew Prince said that Monday’s attack had used a technique called NTP [Network Time Protocol] amplification.
“An NTP amplification attack begins with a server controlled by an attacker on a network that allows source IP address spoofing,” Prince writes.
“The attacker generates a large number of UDP packets spoofing the source IP address to make it appear the packets are coming from the intended target.
These UDP packets are sent to Network Time Protocol servers (port 123) that support the MONLIST command.”
The MON_GETLIST command allows admins to query NTP servers for traffic counts.
Attackers can send this command to vulnerable NTP servers using a spoofed source address.
Explaining how the amplification process works, Prince says:
“If an NTP server has its list fully populated, the response to a MONLIST request will be 206-times larger than the request.”
The attack on Monday used a network of 4,529 NTP servers across the globe and targeted one of CloudFlare’s European customers affecting all of its 24 data centres. It was large enough to cause network congestion in parts of Europe.
While CloudFlare managed to mitigate this particular attack, Prince describes the size of the per-server amplification as “troubling”.
He encourages network administrators to restrict access to NTP servers and to disable MONLIST.
He also urges admins to follow the Best Current Practice 38 (BPC 38) guidance published by the Network Working Group of the Internet Engineering Task Force, which was specifically formulated to help prevent denial of service attacks.
“If you’re running a network then you should ensure that you are following BCP 38 and preventing packets with spoofed source addresses from leaving your network.”
While this week’s attack is thought to be the largest ever in terms of traffic, Prince warns that there may be much worse to come as attackers expand to technique to exploit weaknesses other protocols such as SNMP.
“SNMP has a theoretical 650x amplification factor. We’ve already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up,” he writes.