NTP Amplification DDoS Attack on CloudFlare

CloudFlare disclosed the information for the largest DDoS attack that exploited vulnerability in NTP protocol. The report estimates the DDoS attack to be 400 Gb/s. This is a new threat that target network time protocol on port 123 that is normally used to synchronize time servers.

February 10, 2014 1298 NTP servers on different networks were involved in the cyber attack without owner knowledge. Each of these servers at peak hour generated 87 Mbit/s of traffic to particular victims on internet. Cloudflare admits that the attacker controls so many bots that are using vulnerable NTP servers and it is just required from attacker to send server network requests.

The map shows the location of the NTP servers who participated in DDoS-attack on February 10.

 Sheet 1Map with the source of attack on cloudflare

Basically any server that are not patched or hardened with exposed NTP is going to be part of the DDoS. Cloudflare suggest that it is not over yet. there is experiment about possible use of SNMP to raise the traffic at 650 time. the report is published over this link: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack

Notify of
Inline Feedbacks
View all comments