Forgot your password?
Security The Internet

DDoS Larger Than the Spamhaus Attack Strikes US and Europe 158

Posted by Unknown Lamer
from the do-not-stare-directly-into-the-udp-packet dept.
mask.of.sanity writes "CloudFlare has been hit by what appears to be the world's largest denial of service attack, in an assault that exploits an emerging and frightening threat vector. The Network Time Protocol Reflection attack exploits a timing mechanism that underpins a way the Internet works to greatly amplify the power of what would otherwise be a small and ineffective assault. CloudFlare said the attack tipped 400Gbps, 100Gbps higher than the previous record DDoS attack which used DNS reflective amplification."
This discussion has been archived. No new comments can be posted.

DDoS Larger Than the Spamhaus Attack Strikes US and Europe

Comments Filter:
  • Re:And yet... (Score:4, Interesting)

    by Anonymous Coward on Tuesday February 11, 2014 @02:44AM (#46215645)

    The affected NTP servers need to be cleaned up as well,

    Well, yes and no. There really aren't that many vulnerable NTP servers out there, and those which exist rarely have much bandwidth to do much damage.
    HOWEVER there are many, many, many shitty little firewalls (I'm looking at you, SonicWall, among others) which for some FUCKING RETARDED reason default to responding to unsolicited NTP packets with a "reject" or "bad request" packet, instead of just dropping it into the "bitbucket". So for the cost of sending a malformed 8-byte UDP packet, you can get the amplifier to respond with a full-size "bad request" or "service denied" response.

    Verifying source IP's is, as you stated, the real root of the issue.
    But it's not nearly so easy as you might think to blacklist a rogue ASN, at least not without blacklisting entire regions of the world at the same time. You need to get ALL the ASN's which have ANY kind of path to the rogue one to get in on the blacklisting, and even if you got it done they'd already have a contingency plan... change the company name, transfer the IP's to a "new" company with a new ASN, and boom you're back in business. It really is trying to shoot at a moving target, and in the process you end up hitting a lot of people who aren't guilty of anything.

  • by andyn (689342) on Tuesday February 11, 2014 @04:09AM (#46215849)

    a timing mechanism that underpins a way the Internet works

    But how many LOCs is that? Joking aside, I would have thought that nobody had to dumb down things that much before posting to Slashdot.

  • by Anonymous Coward on Tuesday February 11, 2014 @06:55AM (#46216287)

    Two key corrections:

    1. It's UDP (the protocol) not UPD. Contextually I understood though, and assumed typo until I saw...

    2. It's ntpd v4.2.7 not ntpd v2.4.7.

    Also, the recommended solution is not just to limit noquery, but others as well. This comes straight from the FreeBSD stable/9 ntp.conf as of 2013/12/27 []:

    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery

    restrict -6 ::1

    Last 3 lines are effectively "allow". For what these all do, refer to the ntp.conf man page.

  • Re:Not only NTP (Score:4, Interesting)

    by ledow (319597) on Tuesday February 11, 2014 @08:32AM (#46216585) Homepage


    Source-address spoofing just shouldn't be happening. Whether on the smallest or largest networks, why would you let someone fabricate any IP address and pass it along as if it were part of your network?

    First rule on almost all firewalls is to block all such "foreign" packets.

    The big carriers are really the problem here - they should just turn off network access to anyone who provides traffic to/from systems that they are not registered in their AS for. After an hour of being offline, they'll soon push the message to clean up what IP's are talking out from your networks all the way down to individual leased line customers.

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."