There has been a record breaking in the DDoS (distributed denial-of-service) attacks on the internet which happened on Monday. The DDoS attacking went as further as 400 Gbits per second. This is a large number compared to the previously witnessed attack which was measured to be approximately 300 Gbits per second.
DDoS Firm, CloudFlare that deals with defense disclosed to one of its customer on Monday that it was experiencing a massive attack which according to the intensity, was much bigger compared to #Spamhaus attacks which were witnessed in the previous year. This was the word of CEO of tweetedClousFlare (https://twitter.com/eastdakota/statuses/433002992694874112). Mathew Prince, he also added that the attacks targeted weakness in the network Timing protocol.
Accordingly, the attacks resulted in network slowdowns in Europe and may have affected other service providers. He went ahead to tweet that, “Someone’s got a big new cannon, Start of ugly things to come,” According to him the NTP attacking are becoming extreme and dangerous. He refused to disclose the name of the customer being targeted by the attack due to privacy policies.
According to the British Authority, they are trying to track the attackers (see http://www.informationweek.com/security/attacks-and-breaches/british-spies-hit-anonymous-with-ddos-attacks/d/d-id/1113719?itc=edit_in_body_cross). The attack on CloudFlare’s was confirmed by Oles Van Herman, who is the head of French firm OVH.com. According to him, his firm had experienced a DDoS attacks which went as much as 350 Gbit per second. According to him his firm network was a victim of the attack and not the source. Accordingly this revealed a reflective attack where by an attacker uses other networks IP to send commands.
According to John Graham-Cumming who is a programmer, the attackers can use this method to send commands to another server from a victim server. In the past, many of these attacks were towards DNS (domain name system) but this has changed as since they now go after NTP.
The Monday revelations are not the first DDoS attack since there are other attacks that have been witnessed worldwide. The report that was released in the previous month on attacks by firm that deal with DDoS defense, Black Lotus, attacks such as HTTPS which includes SYN Floods, application layer targeting and ACK floods have remained the main kinds of attack (DDoS). However the use of DrDoS (distributed reflection denial of service), surfaced in 2014 and is being used largely for huge attacking exceeding 100 Gbit/s.
The launch of a reflection attack is not very hard; this is made even easier by the fact that the attackers are able to tap the DNS flooder v1.1 toolkit. This tool according the defense firm, was first encountered in hacking forums approximately 6 months ago. This toolkit is reported to have been used extensively to initiate many attacks.
By using the toolkit the attacker can program DNS servers by use of arbitrary naming system and use the servers as a reflector. Basin on the Prolexic’s report, these illegal methods makes it possible for them to buy, create and make use of the DNS server to commence an attack. This does not depend on the attacker to find a weak DNS server.
However many still make use of blending attacks so as to get a high change. According to Black Lotus this is so effective in a way that the attackers locate a weak spot and confuse the same system is catastrophic.
According to these revelations, it was noticed that there has been a massive increase in the number of DDoS attack since The 2nd of January. According to the Vulnerability advisory CVE-2013-5211 which was released, there is a (ntpd) network time protocol bug which can be messed to initiate reflection attacks. The bug can receive special commands and then amplify them by 58.5x.
The question that many businesses may be contemplating now is how best they can prevent attackers who go after the weakness of NTP via the use of DDoS. The answer may be for them to upgrade the versions of ntpd since the previous versions under 4.2.7 have been proved to malfunction.
A business may go further and ensure that the security system is up to date to reduce the chances of attacks. Various research teams such as Team Cymru has recently released a new secured NTP templates (http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html) which will be used for Cisco IOS, Unix and Juniper Junos. There is an additional Scanning Prject for NTP which for free scanning services to servers.
