DDoS Larger Than the Spamhaus Attack Strikes US and Europe

mask.of.sanity writes "CloudFlare has been hit by what appears to be the world's largest denial of service attack, in an assault that exploits an emerging and frightening threat vector. The Network Time Protocol Reflection attack exploits a timing mechanism that underpins a way the Internet works to greatly amplify the power of what would otherwise be a small and ineffective assault. CloudFlare said the attack tipped 400Gbps, 100Gbps higher than the previous record DDoS attack which used DNS reflective amplification."

Re:And yet...

The affected NTP servers need to be cleaned up as well,

Well, yes and no. There really aren't that many vulnerable NTP servers out there, and those which exist rarely have much bandwidth to do much damage.
HOWEVER there are many, many, many shitty little firewalls (I'm looking at you, SonicWall, among others) which for some FUCKING RETARDED reason default to responding to unsolicited NTP packets with a "reject" or "bad request" packet, instead of just dropping it into the "bitbucket". So for the cost of sending a malformed 8-byte UDP packet, you can get the amplifier to respond with a full-size "bad request" or "service denied" response.

Verifying source IP's is, as you stated, the real root of the issue.
But it's not nearly so easy as you might think to blacklist a rogue ASN, at least not without blacklisting entire regions of the world at the same time. You need to get ALL the ASN's which have ANY kind of path to the rogue one to get in on the blacklisting, and even if you got it done they'd already have a contingency plan... change the company name, transfer the IP's to a "new" company with a new ASN, and boom you're back in business. It really is trying to shoot at a moving target, and in the process you end up hitting a lot of people who aren't guilty of anything.