DDoS Larger Than the Spamhaus Attack Strikes US and Europe

← Back to Stories (view on slashdot.org)

DDoS Larger Than the Spamhaus Attack Strikes US and Europe

Posted by Unknown on Monday February 10, 2014 @05:07PM from the do-not-stare-directly-into-the-udp-packet dept.

mask.of.sanity writes "CloudFlare has been hit by what appears to be the world's largest denial of service attack, in an assault that exploits an emerging and frightening threat vector. The Network Time Protocol Reflection attack exploits a timing mechanism that underpins a way the Internet works to greatly amplify the power of what would otherwise be a small and ineffective assault. CloudFlare said the attack tipped 400Gbps, 100Gbps higher than the previous record DDoS attack which used DNS reflective amplification."

4 of 158 comments (clear)

Min score:

Reason:

Sort:

Re:And yet... by Anonymous Coward · 2014-02-10 18:44 · Score: 4, Interesting

The affected NTP servers need to be cleaned up as well,

Well, yes and no. There really aren't that many vulnerable NTP servers out there, and those which exist rarely have much bandwidth to do much damage.
HOWEVER there are many, many, many shitty little firewalls (I'm looking at you, SonicWall, among others) which for some FUCKING RETARDED reason default to responding to unsolicited NTP packets with a "reject" or "bad request" packet, instead of just dropping it into the "bitbucket". So for the cost of sending a malformed 8-byte UDP packet, you can get the amplifier to respond with a full-size "bad request" or "service denied" response.
Verifying source IP's is, as you stated, the real root of the issue.
But it's not nearly so easy as you might think to blacklist a rogue ASN, at least not without blacklisting entire regions of the world at the same time. You need to get ALL the ASN's which have ANY kind of path to the rogue one to get in on the blacklisting, and even if you got it done they'd already have a contingency plan... change the company name, transfer the IP's to a "new" company with a new ASN, and boom you're back in business. It really is trying to shoot at a moving target, and in the process you end up hitting a lot of people who aren't guilty of anything.
Stop dumbing down summaries, please. by andyn · 2014-02-10 20:09 · Score: 3, Interesting

a timing mechanism that underpins a way the Internet works
But how many LOCs is that? Joking aside, I would have thought that nobody had to dumb down things that much before posting to Slashdot.
Re:Update your NTP sw! by Anonymous Coward · 2014-02-10 22:55 · Score: 2, Interesting

Two key corrections:
1. It's UDP (the protocol) not UPD. Contextually I understood though, and assumed typo until I saw...
2. It's ntpd v4.2.7 not ntpd v2.4.7.
Also, the recommended solution is not just to limit noquery, but others as well. This comes straight from the FreeBSD stable/9 ntp.conf as of 2013/12/27:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
Last 3 lines are effectively "allow". For what these all do, refer to the ntp.conf man page.
Re:Not only NTP by ledow · 2014-02-11 00:32 · Score: 3, Interesting

Yep.
Source-address spoofing just shouldn't be happening. Whether on the smallest or largest networks, why would you let someone fabricate any IP address and pass it along as if it were part of your network?
First rule on almost all firewalls is to block all such "foreign" packets.
The big carriers are really the problem here - they should just turn off network access to anyone who provides traffic to/from systems that they are not registered in their AS for. After an hour of being offline, they'll soon push the message to clean up what IP's are talking out from your networks all the way down to individual leased line customers.