Massive NTP hack – a sign of things to come?

Feb 13, 2014 | Regulation

This week saw one if the biggest cyber attacks in history, as hackers targeted an ‘unknown source’ with a flood of data capable of brining down vital web sevices. Online security specialists Cloudflare said it recorded the “biggest” attack of its kind on Monday. Hackers used weaknesses in the Network Time Protocol (NTP), a system […]

This week saw one if the biggest cyber attacks in history, as hackers targeted an ‘unknown source’ with a flood of data capable of brining down vital web sevices.


Online security specialists Cloudflare said it recorded the “biggest” attack of its kind on Monday.
Hackers used weaknesses in the Network Time Protocol (NTP), a system used to synchronise computer clocks, to flood servers with huge amounts of data.
The technique could potentially be used to force popular services offline.
Several experts had predicted that the NTP would be used for malicious purposes.
The target of this latest onslaught is unknown, but it was directed at servers in Europe, Cloudflare said.
Attackers used a well-known method to bring down a system known as Denial of Service (DoS) – in which huge amounts of data are forced on a target, causing it to fall over.
Cloudflare chief executive Matthew Prince said his firm had measured the “very big” attack at about 400 gigabits per second (Gbps), 100Gbps larger than an attack on anti-spam service Spamhaus last year.
Analysis:
EJ Hilbert, Managing Director, Kroll, commented: “Many companies think hacking is just about stealing data such as credit cards – but just as significant are attacks on the reliability of companies’ IT systems.
“The hack reported by Cloudflare is actually an attack designed to interrupt a business’s ability to function. A denial of service attack no matter how it’s accomplished (whether via data floods or timing system floods) will knock a company’s website offline and deny customers the ability to interact with the company. It’s comparable to chaining the front doors to a high street store so that no one can shop.
“Companies need to understand that the cyber world presents various threats to data and a firm’s business continuity and understanding those threats is key to mitigate the risks.”
Eduardo de la Arada, research team engineer for AlienVault sheds a little more light on this style of attack and answers some questions:
What is the significance of this being an NTP-based DDoS attack?
It’s just another reflection technique. A NTP server is a server used to synchronize system clock. One of the available requests is MON_GETLIST, it returns the addresses of up to the last 600 machines that the NTP server has interacted with. So, with a small (234 bytes) request, the server could respond with a big package (48k more or less). You can modify the sender address to the targets ones, and send a lot of requests to multiple NTP servers, the generated traffic sent to the target could be enormous.
At 400Gbps this is a very large attack – of the biggest cyber attacks in history and 100Gbps bigger than the spamhaus attack – is this why it has taken 10 months for this type of attack to be replicated?
In my opinion, that period of time is just to collect as many NTP servers as possible. The more servers they have collected, the stronger the attack will be. Not all servers have this feature, it was removed, so the attackers must scan internet looking for a version older than 4.2.7.
Is this a sign of things to come?
It looks like this kind of attack (NTP based) has become popular during the Christmas Holidays. But it just a matter of time that a big amount of NTP server are going to be updated, or the attackers discover another reflection technique to improve their DDoS attacks.

All topics

Previous editions