CloudFlare: Biggest DDoS Ever Hits Europe

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

DDoS weighing in at nearly 400Gbps targets unnamed CloudFlare customer in Europe, as attackers use NTP to amplify attack

One of the biggest distributed denial of service (DDoS) attacks ever recorded hit European networks yesterday, according to content delivery network CloudFlare.

Few details about the attack have emerged, but CloudFlare said it was probably close to 400Gbps in power, as it continues to investigate. The firm revealed the previous number one DDoS attack last year, measuring in at just over 300Gbps, targeted at anti-spam outfit Spamhaus.

‘Larger than Spamhaus DDoS’

EU, European Union © SmileStudio Shutterstock 2012Despite its apparent strength, there does not seem to have been any serious downtime as a result of the DDoS, unlike the Spamhaus attacks, which took out a swathe of sites.  “There was extra latency in Europe. Overall, network was unaffected,” said Matthew Prince, CEO of CloudFlare.

“[It was] very big. Larger than the Spamhaus attack from last year. Volume based so congesting at Layer 3 in some parts of Europe. Hitting our network globally but no big customer impact outside of Europe.”

Prince said one customer had been targeted again, but this time he could not reveal who.

Akamai, another major content delivery network and DDoS mitigation firm, said it had no insight into the attack.

French hosting firm OVH has also said over Twitter it has experienced an attack over 350Gbps.

The attackers used an increasingly common technique amongst DDoSers, which involves exploiting the UDP-based Network Timing Protocol. That protocol is normally used to sync clocks on machines, but attackers have discovered they can exploit a weakness that allows them to query an NTP server about connected clients and their traffic counts.

By spoofing an IP address, attackers can make it appear a target is making these queries, using the “monlist” command. When these requests are made en masse, the traffic generated can be overwhelming, as the NTP server sends back a list of the last 600 IP addresses which connected to it.

In January, the United States Computer Emergency Readiness Team (US-CERT) was moved to put out a warning about such NTP amplification attacks and the technique was used to take down a number of gaming services last December, including Steam, League of Legends and Battle.net.

Admins could do the world a favour by implementing a patch and upgrading their NTP servers, as the latest release addresses the issue. The NTP technique is similar to the one used in the Spamhaus attacks of last year, when open DNS servers were exploited for amplification. Two sites have been set up to monitor the use of vulnerable DNS and NTP servers – openresolverproject.org and openntpproject.org.

Are you a security pro? Try our quiz!

Read also :