Worst DDoS attack of all time hits French site

Worst DDoS attack of all time hits French site

Summary: A website in France was hammered on Monday by a Distributed Denial of Service attack that hit it at a rate from 325Gbps to 400Gbps making it the strongest DDoS attack ever.

TOPICS: Security, Networking

Web performance company CloudFlare reported that it mitigated a Distributed Denial of Service (DDoS) attack on a French Website that reached a record-setting attack of almost 400 Gigabits per second (Gbps).

This wasn't just boasting. Arbor Networks, a DDoS security company and CloudFlare rival, agreed that the attack reached at least 325Gbps. 

CloudFlare found that the French DDoS attack came from NTP servers all around the world.

Now for the really bad news: More such attacks are on their way.

Darren Anstee, Arbor Networks' Director of Solutions Architects, said, "According to Arbor Networks’ ninth Annual Worldwide Infrastructure Security Report (WISR) the size of attacks in 2013 eclipsed previous peaks by over 200 percent, with the largest reported attack at 309Gbps. Plus, multiple respondents reported attacks larger than 100Gbps — the previous largest attack size. At 325Gbps [this] attack was yet another new milestone. ATLAS also verifies this growth, with more than 8 times the number of attacks over 20Gbps tracked in 2013, as compared to 2012. Larger attacks are becoming more common and network operators need to ensure that they have the people, processes and infrastructure in place to handle large attack volumes before service, potentially for multiple customers, is impacted."

As for the attack reported by CloudFlare, Anstee continued, "Arbor Networks is able to confirm that its ATLAS system monitored an attack on Monday February 10, targeting a destination in France, which peaked at 325Gbps. As with other large attacks, a reflection technique appears to have been used to magnify the attacker’s capabilities, leveraging network time protocol (NTP, UDP 123) in this case. There also appear to have been other attacks over the week-end ranging in size from 40-80Gbs, targeting destinations in France."

NTP DDoS attacks are new. They were first reported in late December 2013 by Symantec. NTP is commonly used to sync times for systems over the Internet and local networks. If you've ever set the time on your PC or network router with an Internet time server you've used NTP. In a very short time, NTP reflection DDoS attacks have become popular.

If your NTP traffic looks like this, then you've got bad news: You're running an insecure network and you're part of a DDoS attack.

This week, they were used in several massive DDoS attacks. The attack that CloudFlare fought off was the largest. Other attacks in the 20Gbps to 80Gbps range have been reported.

According to CloudFlare, these DDoS attacks start "with a server controlled by an attacker on a network that allows source IP address spoofing (e.g., it does not follow BCP38 IP source address spoofing protection). The attacker generates a large number of UDP [User Datagram Protocol] packets spoofing the source IP address to make it appear the packets are coming from the intended target. These UDP packets are sent to NTP servers (port 123) that support the MONLIST command."

MONLIST is a rather useless NTP command that's no longer supported in newer NTP servers. It forces NTP servers to return a list of up to 600 IP addresses that last accessed the NTP server. The response to a single MONLIST request can be up to 206-times larger than the request. CloudFlare explained, "In the attack, since the source IP address is spoofed and UDP does not require a handshake, the amplified response is sent to the intended target. An attacker with a 1Gbps connection can theoretically generate more than 200Gbps of DDoS traffic."

In practice, CloudFlare found that to generate the approximately 400Gbps of attack traffic, "the attacker used 4,529 NTP servers running on 1,298 different networks. On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests."

The good news is that you can prevent network servers from joining in future NTP DDoS attacks by following a few simple steps. First make sure you don't have an NTP server that's open to the rest of the world that supports MONLIST. You can check this just by visiting the OpenNTP Project site.

If your NTP Server is vulnerable, simply upgrade it to NTP-4.2.7p26 or later. This NTP fix has around since 2010 so only older, non-updated NTP servers should be vulnerable.

You should also make sure your network doesn't allow source Internet Protocol (IP) address spoofing. MIT's Spoofer Project tests will let you know if your network allows address spoofing. If it does, it's not that hard to implement BCP38.

The most annoying thing about this new rash of DDoS attacks is that the fixes to prevent have been around for years. Besides NTP's 2010 fix, the rules to implement BCP38 have been around since 2000!

Yes, these attacks are bad news, but they can only exist in the first place because network administrators and small-office/home-office (SOHO) equipment manufacturers have allowed these known security holes to remain open for years. It's time to close them once and for all. After all, the next Website to get smacked around might be yours!

Related Stories:

Topics: Security, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Worst?

    How does one measure the "worst" DDoS of all time?
    • Bandwidth

      This DDoS had a record amount of bandwidth directed at the target
      • You sure this wasn't just gmail thinking it was an inbox it needed to

        stuff ads into? They have a lot of servers working 24/7 as spambots.
        Johnny Vegas
        • Hehe, well Johnny,

          I had a similar thought...that it was Google having a bit of revenge on the French for the recent fines!
  • motive?

    Maybe I just missed it, but what was the motive?
    • @gdstark13...perhaps this was a test run?

      since no "motive" was announced, it could have just been a test to see if the DDoS attack could be used against a target, gather data as to number of recruitable "zombies" running vulnerable NTP servers, and then refine the next attack on their intended target(s). By first directing towards a rather obscure target, they perhaps would not gain as much attention from the security sector, allowing for subsequent attacks to have a higher chance of success.
      This is just a guess on my part though...educated guess, but a guess none the less.
  • We were hit with this Tuesday starting @ 12:30AM

    We have a 100 megabit fiber connection but yet this DDOS was making out connection put out at over 200 megabits per second sustained!!! It was all outbound traffic. It was so much that it brought our network down, rendering it useless. We had a FreeBSD server on our network that was exploited by this NTP DDOS. We had to unplug the machine from the network as an immediate fix. It wasn't behind a firewall. We put it behind a firewall and only opened the necessary ports. Problem went away. Also we got the NTP patched just in case....
    This was a very serious incident... Hopefully won't see that for a long time.
  • The attack was

    The attack was aimed at a cartoon?

    I'd hate to say, if there are this many attackers in this world that don't like cartoons...
    ..Houston, we really do have a problem.
    • Nah,

      I think it was a single person or a small group.
  • Wow.

    Awesome, congrats to whoever made it :-)