This week’s gigantic DDoS attack on mitigation firm CloudFlare was made possible by weak configuration of a relatively small number of NTP servers, including some inside the intended target, the firm’s co-founder and CEO Matthew Prince has complained.
At the time of Monday’s attack, CloudFlare restricted its comments to a simple notification by Prince on Twitter in which he said, "someone's got a big, new cannon," leaving other firms to speculate on the details.
Rival mitigation firm Arbor Networks’ Atlas system detected the attack on CloudFlare customer, French hosting firm OVH, as being around the 325Gbps at peak, slightly larger than last March’s DNS reflection attack on Spamhaus.
In a new blog CloudFlare has now confirmed that the attack ended up being around 400Gbps, making it the largest single DDoS attack in history, before going on to complain about the modest resources necessary to cause the deluge.
According to CloudFlare’s CEO, the attack exploited only 4,529 NTP servers, each generating an average of 87Mbps of traffic from 1,298 different networks. For comparison, the Spamhaus attack coralled 31,000 DNS servers - seven times as many - to generate a lower amount of traffic
“Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests,” said Prince.
To ram home the point, the firm has published a spreadsheet of the networks involved with the number of NTP servers involved from each. Ridiculously, this also includes 114 servers from the French firm OVH, the target of the attack; OVH’s own infrastructure was being used to attack it through CloudFlare.
“If you're a network administrator and on Monday you saw network graphs like the one in the Tweet below [see below] then you are running a vulnerable NTP server,” chided Prince.
The culprit in the NTP attacks was the obscure ‘monlist’ command that summons a list of the last 600 IP addresses to connect to the NTP server, which on its own can generate a traffic response over 200 times that of the request. "The command seems of such little practical use," wrote an exasperated Prince.
This is precisely the server weakness warned of by US-CERT and others in mid-January under CVE-2013-5211, enabled by default on all versions of the Network Time Protocol daemon (NTPd) OS prior to version 4.2.7. This function can be disabled, which presumably is CloudFlare’s intention in publicising the servers used in the attack.
“Finally, if you think NTP is bad, just wait for what's next,” warned Prince. “SNMP has a theoretical 650x amplification factor. We've already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up.”
Separately, mitigation firm has warned that criminals are now using a toolkit called 'Flooder' to make DNS reflection attacks much easier to set up and execute. CloudFlare's warning could be prescient.