A bit of follow-up on Meetup’s DDoS (denial of service) attack which saw the company’s website and accompanying mobile services down for several days: according to the company, this was an example of the increasingly common NTP-based DDoS attack. Explains CloudFlare CEO Matthew Prince, who stepped in to help Meetup get back online, NTP-style attacks are a newer choice among criminals when it comes to producing the DDoS flood that can crash websites, and they’re far more powerful, too.
In a nutshell, DDoS attacks attempt to crash servers, usually web servers, by sending a barrage of traffic to overwhelm the receiving ports. The servers crash under the load, taking websites and services down with them. In the past, such as with the high-profile Spamhaus DDoS attacks last year, the previous favorite vector for criminals instigating these attacks was DNS – that is, they would amplify their attacks using the DNS infrastructure.
But now, attackers are beginning to exploit flaws in other, older Internet protocols that were not originally secured particularly well. In Meetup’s case, the attackers use the NTP – or Network Time Protocol – which is a protocol that’s use to sync time clocks between multiple servers.
“The size of the attack was large enough that just about any organization, short of Google or someone with a network like CloudFlare, would have struggled to stay online,” explains Prince. “[These attacks] are relatively easy to launch, and can generate enormous amounts of traffic.”
The attackers are able to generate attacks that are hundreds of times the size of the bandwidth they have access to. So for example, if an attacker has a 1 Gigabit connection to the Internet, they can generate over 200 Gigabits (Gbps) of network capacity.
In Meetup’s case, however, the attack was “only” 8 Gigabits in size. That’s still an enormous attack compared to many in the past. But it’s not uncommon for NTP attacks to be in the 10 Gigabits+ range, says Prince. His company now sees hundreds of attacks of that size per week, in fact. Additionally, CloudFlare is now seeing attacks that get over 100 Gbps very regularly. “Two years ago, that would have been a record-breaking attack. Now we’re seeing that on an almost daily basis,” he says.
NPT-based attacks have also now outpaced DNS-based attacks, in terms of the source of the largest DDoS attacks, Prince notes. “Up until about six months ago, NTP attacks were fairly uncommon, but they’ve definitely been on the rise,” he adds. He can’t be sure that the NTP attacks are growing in popularity, or if CloudFlare is just seeing more of them as it grows its own network, which now includes over 2 million customers, and is adding 5,000 new customers per day.
The targets are not usually as high-profile as a technology company like Meetup, though. More often, they’re e-commerce businesses (like online flower shops ahead of Valentine’s Day), or those attacks motivated by political concerns. These, in the past, have included adoption agencies, for example – attacked by those who don’t want to see Chinese or Russian children adopted out of their home country by Western European or U.S. families. More recently, Ukrainian news organizations have been under attack, as the country has been torn apart by protests and bloodshed.
In any event, Meetup was likely right to refuse to pay the $300 the attacker requested to stop the barrage, because not only could have the price rapidly increased once they admitted they were willing to negotiate, they would also then identify themselves more broadly as a target who’s willing to pay. This could have brought more attacks in the future.
Unfortunately, as bad as NTP attacks are in terms of their ability to amplify an attacker’s bandwidth versus the traditional DNS-based attacks, there’s another protocol beginning to be exploited which is even worse: SNMP.
“If DNS can do a 50x amplification factor, and NTP can do about a 200x amplification factor, SNMP can theoretically do about a 650x amplification factor,” Prince explains. “And we’ve already started to see attackers experimenting with it.”
Though the bad guys’ behavior means good business for CloudFlare, Prince’s company doesn’t charge companies upfront before stepping in to help when an attack is underway. Their first focus is getting the business back online, and then negotiating a financial arrangement to keep the customer’s business in the future after the immediate threat is mitigated. Plus, the company tends to offer free services to human rights organizations, or those who are threatened because they’re trying to disseminate news or information. This benefits the recipients of course, but it benefits CloudFlare too. “Our networks gets smarter with each new attack,” says Prince. “So putting ourselves in the path of the bullet makes our shields stronger.”
The good news is that a number of the vulnerable NTP servers have been closed down following the increase in attacks. Of the 450,000 vulnerable servers that were online a few weeks ago when one of the largest NTP attacks occurred, only 300,000 remain online today. Companies can check their own network for vulnerabilities from the Open NTP Project, as well as the Open Resolver Project (for vulnerable DNS servers).
For the technically minded, CloudFlare has more info on NTP-based DDoS attacks here.