In a report on the DDoS attack against one of their customers earlier this week, CloudFlare says that the attackers generated an enormous amount of traffic, from 4,529 NTP servers that were running on 1,298 different networks. As a result, the full force of the attack was 33 percent larger than the one against Spamhaus, which until now was one of the largest DDoS event on record.
The attack was just shy of 400Gbps at peak, and was the result of NTP amplification. NTP amplification attacks start by spoofing an IP address. The forged address mirrors that of the server that's being targeted, and from there, the attacker blasts out requests to NTP servers supporting the MONLIST command. A detailed primer on NTP attacks can be seen here, for those who are curious.
In a statement to the Hash, Nathaniel Couper-Noles, principal security consultant at Neohapsis, explained that an NTP server can't always decide whether a request is spoofed or not; so it's up to the network to decide in many cases. And so, operating system designers, system implementers, and ISPs didn't pay a lot of attention to managing or preventing spoofed traffic.
"It was and still is up to millions of internet participants to harden their networking configuration to limit the potential for denial of service amplification. But economically there’s frequently little incentive to do so – most denial of service attacks target someone else, and the impact to being involved as a drone is relatively minor. Sadly, as a result, you get systemic susceptibility," he said.
According to CloudFlare's Matthew Prince, the MONLIST command is essentially useless.
"I'd personally be curious to talk with whoever added MONLIST as a command to NTP servers. The command seems of such little practical use -- it returns a list of up to the last 600 IP addresses that last accessed the NTP server -- and yet it can do so much harm. If an NTP server has its list fully populated, the response to a MONLIST request will be 206-times larger than the request."
Thus, an attacker with a simple 1Gbps connection can generate an attack with more than 200Gbps behind it.
"NTP and all other UDP-based amplification attacks rely on source IP address spoofing. If attackers weren't able to spoof the source IP address then they would only be able to DDoS themselves. If you're running a network then you should ensure that you are following BCP38 and preventing packets with spoofed source addresses from leaving your network."
The full blog post, with additional attack details and mitigation steps, is available here.