Homeless in Vancouver: Biggest-ever hack attack used basic Internet flaw

On Monday (February 10), hackers were reported to have exploited a fundamental weakness in the Internet itself to stage a massive distributed denial of service (DDoS) attack against unidentified computer servers in Europe.

Rather than exploiting flaws in a computer operating system, Monday’s attack instead used known weaknesses in the network time protocol (NTP), a nearly 30-year-old Internet system used to synchronize computer clocks around the world.

The attack was against a client of the online security firm Cloudflare.

Cloudflare’s CEO Matthew Prince tweeted word of the attack on one of his clients, describing it as “very big”—about 400 gigabits per second (Gbps)—the “biggest” of its kind, 100Gbps larger than an attack on anti-spam service Spamhaus last year. He also said his company was mitigating the effects of the attack.

Attack was only a matter of time

Online security experts, including Cloudflare, had predicted this kind of “NTP amplification/reflection” DDoS attack.

The NTP system still functions pretty much as it did when it began operating in 1985. There are thousands of NTP servers designed to keep computers connected to the Internet synchronized to the correct time. The system was not designed with security in mind.

To synchronize its clock over the Internet, a computer sends a request to a NTP server in the form of a small amount of data. The NTP server in turn replies with time data.

The attackers used two known weaknesses of the NTP system:

  • The NTP sends back more data than it receives, giving hackers more bang for their buck.
  • The NTP can be tricked into sending the data back to a different computer.

The attack likely used many, many computers simultaneously sending time requests to the NTP. Hackers “spoofed” their location to divert the massive amounts of NTP data to flood a single target.

The object of such a denial of service attack is to overwhelm the target, say a web site’s server, with so much traffic that it crashes.

Comments (2) Add New Comment
Time for ISPs to filter better
ISPs of all sizes need to do better filtering on their borders, such as "if this packet's source IP is *outside* our network, we probably ought to drop it".

DNS and NTP can both be used in these types of attacks, and have, and other protocols will be looked at if there isn't a more comprehensive solution put in place.

400 Gbps - 53,333 times my 7.5 Mbps cable connection bandwidth, which itself is enough to allow several servers to run, streaming music, Youtube videos, etc.

That's an incredible amount of data.
Rating: +1
Stanley Q Woodvine
Monday's target now appears to have been a French client of Cloudflare, a hosting company called OVH that sells a packet filtering system called VAC, which, according to OVH, played a major role in mitigating the DDoS. Awful lot of PR going on with this.
Rating: +5
Add new comment
To prevent automated spam submissions leave this field empty.