DDoS Attacks Getting LargerBut Latest Threats Are Less Sophisticated
These NTP attacks have been on the rise since January, the company reports. In fact, one CloudFlare client took a significant hit just this week.
NTP attacks are much larger than other DDoS attacks waged in the last two years. But they are far less sophisticated than application-layer attacks, such as those that targeted U.S. banks in 2012 and 2013.
John Graham-Cumming, a programmer with CloudFlare, says emerging NTP attacks misuse user-datagram protocols to produce massive amounts of traffic. "These attacks use reflection and amplification, which means that the source is hard to track down and the attacker is able to punch above their weight through the amplification attack," Graham-Cumming says.
NPT attacks work in much the same way as DNS reflection attacks. DNS reflection attacks are waged when attackers send DNS queries to open resolvers, altering the user datagram protocol source address on their requests to be the addresses of their chosen targets. The requests are designed to have much larger responses, which results in sending about eight times as much traffic at the target.
Easier to Mitigate
But compared to the application-layer DDoS attacks against banks in 2012 and 2013, online outages from NTP-based attacks are far easier to mitigate, says Dan Holden, director of Arbor Networks' Security Engineering & Response Team, which provides DDoS mitigation and reporting tools.
And some other experts say CloudFlare's warning about emerging NTP attacks are a bit overblown.
Still, Holden says NTP attacks are expected to increase, and therefore should be taken seriously.
"NTP has certainly been the DDoS trend thus far in 2014," he says. And Holden says DDoS attacks waged via NTP or DNS reflection will continue throughout the year, just as retailers can expect point-of-sale attacks to continue.
Experts say organizations should take steps now to mitigate their NTP attack risks. The Open NTP Project provides information and tools to scan networks for NTP servers that can be abused. And the U.S. Computer Emergency Readiness Team has published an update about vulnerabilities in NTP servers that all organizations should address.
Graham-Cumming would not name the CloudFlare customer that had been targeted Feb. 10 by the most recent NTP attack. But he says NTP and DNS reflection and amplification attacks are being waged against a number of organizations, ranging from small businesses to political groups. He wrote a blog in January about the emergence of NTP attacks.
CloudFlare claims that the Feb. 10 attack was larger than the DDoS attacks waged in March 2013 as part of Operation Stophaus - a vigilante attack on The Spamhaus Project, a Geneva-based not-for-profit organization dedicated to fighting Internet spam operations (see Biggest DDoS Attack in History?).
But Jason Polanich, CEO and co-founder of HackSurfer, a cybercrime data analysis firm, says comparing the Feb. 10 attack to the massive attack against Spamhaus appears to be jumping the gun.
"DDoS is always out there," Polanich says. "Sure, sizable DDoS is news, but unlike Spamhaus, we have yet to see reverberations, i.e., proof, [that the Feb. 10 attack] had a significant effect, like Spamhaus did, on many regions and networks."
Arbor Networks' Holden says NTP and DNS attacks are well understood by most ISPs, so defense strategies can be readily implemented.
On the other hand, application-layer attacks, such as those waged against U.S. banking institutions by the self-proclaimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters, are much more complex, he adds.
"It's not necessarily the size that matters in every instance, but the complexity and multilayer aspect of attacks that make them more likely to succeed, and scarier," Holden says.
Significance of NTP Attacks
Holden acknowledges, however, that the Feb. 10 attack noted by CloudFlare was sizable. It targeted a destination in France, with attack traffic peaking at 325 gigabytes per second, based on Arbor Network's ATLAS system data. "There also appear to have been other attacks over the weekend ranging in size from 40 to 80 gigabytes per second, targeting destinations in France," he adds.
DDoS attacks in 2013 were more than 200 percent larger than previously recorded peaks, according to Arbor Networks' ninth Annual Worldwide Infrastructure Security Report. But the largest reported attack in 2013 was 309 gigabytes per second, with multiple respondents reporting attacks larger than 100 gigabytes per second, Holden says.
"At 325 gigabytes per second, [the Feb. 10] attack was yet another new milestone," he says. "ATLAS also verifies this growth, with more than 8 times the number of attacks over 20 gigabytes tracked in 2013, as compared to 2012."
During the height of some of the banking attacks in 2012 and 2013, DDoS mitigation provider Prolexic Technologies reported that attacks hit 160 gigabytes per second and 144 million packets per second. "The amount of data and the complexity of these attacks is enough to overwhelm almost anybody's infrastructure," Prolexic CEO Scott Hammack told Information Security Media Group in March 2013.
Anti-spoofing technologies can be very effective at mitigating the risk of NTP and DNS reflection and amplification attacks, Holden says. But operating system vendors and developers also must ensure that they are taking steps to secure network devices, such as routers and switches, as well as home-based broadband devices, with secure defaults.
"Secure defaults include not running services such as NTP servers and DNS recursors by default, and ensuring that the default configuration of these services do not lend themselves to abuse," Holden explains.
Network operators, Internet service providers and enterprise network operators also have roles to play, he says. "[They] should routinely scan their IP address space for insecurely configured services that can be abused by attackers, and then work to notify the operators of such services and remediate them," Holden says.
Meanwhile, organizations targeted by DDoS attacks should enforce network access control policies for hardware-based routers and switches on their public-facing network peripherals.
"However, the high volumes which can be generated by these attacks can saturate transit links, requiring upstream mitigation by ISPs and/or managed security service providers with DDoS defense capabilities," Holden adds.