Slashdot Mirror
DDoS Larger Than the Spamhaus Attack Strikes US and Europe
mask.of.sanity writes "CloudFlare has been hit by what appears to be the world's largest denial of service attack, in an assault that exploits an emerging and frightening threat vector. The Network Time Protocol Reflection attack exploits a timing mechanism that underpins a way the Internet works to greatly amplify the power of what would otherwise be a small and ineffective assault. CloudFlare said the attack tipped 400Gbps, 100Gbps higher than the previous record DDoS attack which used DNS reflective amplification."
When you approach the business and say that a zombie network is DDossing the website with a Reflection attack, and that's why no-one can access the website.
Science advances one funeral at a time- Max Planck
Serious question. why are network providers allowing FORGED packets to leave their networks?
The beauty of the first D in the DDOS is that it's in fact DISTRIBUTED denial of service. It's not coming out of single grandma, or even hundred grandmas.
You may be forced to switch tens of thousands, maybe even hundreds of thousands of people off. Can you imagine the massive PR fallout? Mass media would LOVE the story.
No one is going to go for that kind of PR disaster.
How, exactly, would you propose that this is done by carriers? You say that it would be obvious if someone were attempting a DDoS attack but that may not be true. One of the major issues with DDoS is that it doesn't require tremendous bandwidth on the client sides. There could be millions of those (and with the fact that everyone thinks they need 50Mbps home internet for their web surfing) and there's plenty of bandwidth available that could be limited to appear like legitimate traffic. It has been my experience that the best attacks against things involve greater quantities of remote hosts and less bandwidth than fewer hosts with more bandwidth.
It's not always laziness. I added outgoing filters to my routers so that it only allowed source addresses from my network. That was great at stopping DOS attacks, but as I found-out the hard way, several of my customers were sending outbound traffic with source addresses not on my network. That was in 1997. For the next several years, it was a huge hassle to keep adding additional source address ranges for customers. An ISP selling a high speed connection has to allow outgoing traffic from addresses they don't own. That's the entire point of selling transit.
I've been a member of the NTP Hackers team for more than a decade, the mechanism that is being abused for these attacks is in fact a very useful debugging/monitoring facility:
You can ask an ntpd server about how many clients it has and how often each of them have been accessing the server. On old/stable ntpd versions this facility was accessed using a single pure UDP packet (ntpdc -c monlist), and in reply you got back information about up to 602 clients (the size of the monlist buffer), sent as a big burst of UPD packets.
Researchers have developed maps of the entire publicly accessible NTP networks using this facility, I have personally used it to map the status of our fairly big corporate network. I.e. it can be extremely useful!
A few years ago the development version of ntpd switched to a different protocol and method to query this information, using a nonce which meant that you can no longer spoof the source address: (ntpq -c mrulist). Since the mrulist buffer is configurable, I have setup my public ipv6 pool server (ntp2.tmsw.no [2001:16d8:ee97::1]) to keep monitoring info for the last 10K clients.
Today we recommend that you either upgrade to ntpd v2.4.7, or if you really cannot do this, insert a 'restrict default noquery' option in the ntp.conf configuration file. The 'noquery' indicates that clients can still use the server for regular time requests, but the monitoring facility is disabled.
Terje
"almost all programming can be viewed as an exercise in caching"