Homeless in Vancouver: Biggest-ever hack attack used basic Internet flaw
On Monday (February 10), hackers were reported to have exploited a fundamental weakness in the Internet itself to stage a massive distributed denial of service (DDoS) attack against unidentified computer servers in Europe.
Rather than exploiting flaws in a computer operating system, Monday’s attack instead used known weaknesses in the network time protocol (NTP), a nearly 30-year-old Internet system used to synchronize computer clocks around the world.
The attack was against a client of the online security firm Cloudflare.
Cloudflare’s CEO Matthew Prince tweeted word of the attack on one of his clients, describing it as “very big”—about 400 gigabits per second (Gbps)—the “biggest” of its kind, 100Gbps larger than an attack on anti-spam service Spamhaus last year. He also said his company was mitigating the effects of the attack.
Attack was only a matter of time
Online security experts, including Cloudflare, had predicted this kind of “NTP amplification/reflection” DDoS attack.
The NTP system still functions pretty much as it did when it began operating in 1985. There are thousands of NTP servers designed to keep computers connected to the Internet synchronized to the correct time. The system was not designed with security in mind.
To synchronize its clock over the Internet, a computer sends a request to a NTP server in the form of a small amount of data. The NTP server in turn replies with time data.
The attackers used two known weaknesses of the NTP system:
- The NTP sends back more data than it receives, giving hackers more bang for their buck.
- The NTP can be tricked into sending the data back to a different computer.
The attack likely used many, many computers simultaneously sending time requests to the NTP. Hackers “spoofed” their location to divert the massive amounts of NTP data to flood a single target.
The object of such a denial of service attack is to overwhelm the target, say a web site’s server, with so much traffic that it crashes.