Europe shrugs off largest DDoS attack yet, traffic tops 400Gbps

NTP flaw used again, effects minimal


Once again hackers are targeting content-delivery firm Cloudfare, and the company says this latest attack is its biggest yet, peaking at over 400Gbps of traffic.

"Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating," tweeted Cloudflare's CEO Matthew Price. "Someone's got a big, new cannon. Start of ugly things to come."

The attack used a well-known flaw in the Network Time Protocol (NTP) that's used to set the clocks of servers connecting online. The User Datagram Protocol (UDP)-based protocol can be subverted using a synchronization request so that a target system spews out a large volume of data that can be used in a DDoS attack.

The problems with NTP are well-recognized, and in January US-CERT issued a bulletin about the issue, which was backed up by security researchers who warned that the technique was becoming particularly popular. In December an NTP attack was carried out against online gaming servers, and security firm Symantec said it has seen a big spike in similar traffic.

As it turns out, the effects on servers was minimal. While the last attack against Cloudflare and antispammers at Spamhaus in March caused brief, but significant, slowdowns in many servers, this latest attack appears to have been largely shrugged off.

"It's the nature of many denial-of-service attacks that they are fairly transient, really," Nathaniel Couper-Noles, principal consultant at security firm Neohapsis, told The Register. "Once you stop sending the attacks, the lines clear and the network goes back to normal. In certain DDoS attacks there is a load factor, so if you don't have adequate cooling, driving up the load factor to 100 per cent – in some really rare cases – a piece of equipment can malfunction."

For IT managers, the best step to make sure servers aren't used in this way is to watch network traffic closely, he said, and harden up their systems – either using Windows registry or Cisco's IOS interface – and to filter outbound NTP as a good-neighbor policy. ®

Broader topics


Other stories you might like

  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Cloudflare stomps huge DDoS attack on crypto platform
    At 15.3 million requests per second, the assault was the largest HTTPS blitz on record lasting 15 seconds

    Cloudflare this month halted a massive distributed denial-of-service (DDoS) attack on a cryptocurrency platform that not only was unusual in its sheer size but also because it was launched over HTTPS and primarily originated from cloud datacenters rather than residential internet service providers (ISPs).

    At 15.3 million requests-per-second (rps), the DDoS bombardment was one of the largest that the internet infrastructure company has seen, and the largest HTTPS attack on record.

    It lasted less than 15 seconds and targeted a crypto launchpad, which Cloudflare analysts in a blog post said are "used to surface Decentralized Finance projects to potential investors."

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Big Tech shrank the internet while growing its own power
    Classic internet ideas matter less now that CDNs and private networks dominate traffic

    Comment The internet has become smaller, the result of a rethinking of when and where to use the 'net's intended architecture. In the process it may also have further concentrated power in the hands of giant technology companies.

    Given the ever-expanding content and resources available online, and proliferation of connected devices, the notion that the internet has shrunk is counter-intuitive. But shrunk it has – to the point at which some iPhones do not immediately connect to the open internet.

    Those phones are iPhones running the latest version of Apple's iOS and the opt-in service called Private Relay. The iGiant bills Private Relay as a privacy enhancement because it obscures users' DNS lookups and IP addresses by funneling traffic over networks operated by Cloudflare, according to specs set by Apple.

    Continue reading
  • Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
    We take a look at low, low subscription prices – not that we want to give anyone any ideas

    A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

    According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

    The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

    Continue reading

Biting the hand that feeds IT © 1998–2022