Matthew Prince, CEO of content delivery network Cloudflare, has confirmed on Twitter on Monday that one of its customers was being targeted with a very big Network Time Protocol (NTP) reflection attack – “bigger that the Spamhaus attack from last year.”
He didn’t name the customer, but he has shared that the attack reached the level of over 400 gigabits per second, that it probably caused congestion on some peering exchanges (mostly in Europe), that (based on sampled data) it misused just over 4,500 misconfigured NTP servers, and that the customer initially wanted to pay with a stolen credit card.
Despite the recommendation issued by US-CERT about updating public-facing NTP servers to a ntpd version that doesn’t allow attackers to use them for NTP amplification attacks, there are still many vulnerable ones out there.
“The attack relies on the exploitation of the ‘monlist’ feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim,” explains US-CERT.
“Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.”
The victim is effectively hit with a big DDoS attack.
Server administrators can either disable “monlist” within the NTP server or upgrade to the latest NTP version (4.2.7) that does the same thing. If you want to know whether your server(s) are vulnerable, you can use this simple online tool.
For more details about how a NTP-based DDoS attacks works, check out Cloudflare’s blog post from earlier this year.