The greatest every massive distributed-denial-of-service attack Monday reached more than 400 Gbps at its peak. This is about 33 percent greater than last year’s Spamhaus attack, the previous DDoS record-holder.
The attack was directed at one of the customers of content delivery network and security provider CloudFlare, which first reported the attack.
The attackers leveraged a flaw in the Network Time Protocol (NTP), a network protocol used to synchronize computer clock times.
“Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating,” Cloudflare CEO Matthew Price said in a tweet. “Someone’s got a big, new cannon. Start of ugly things to come,”
They did not identify the customer targeted by the attack but did say it was directed at servers in Europe, adding that “these NTP reflection attacks are getting really nasty.”
The basic attack technique consists of attackers querying vulnerable NTP servers for traffic counts using the victim’s spoofed address.
Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim.
Because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.
The DDoS surpassed the attack last March that peaked with a 300Gbps torrent of traffic flooding spam fighter Spamhaus, CloudFlare, and key Internet switching stations in Amsterdam, Frankfurt, and London. That onslaught resulted, according to some reports, service slowdowns across the Internet.