NTP amplification fuelling era of super-massive DDoS
Some time in December 2014 an unnamed ISP experienced an NTP reflection DDoS attack that peaked at a router-straining 400Gbps, easily the largest denial of service event in Internet history, Arbor Networks’ 10th Annual Infrastructure Report has revealed.
It’s an apparently small detail slipped into the firm’s larger narrative which is probably less important in the grand scheme of things than the fact that super-massive DDoS attacks are now common enough to have turned into dull statistics.
Message – large DDoS attacks are here to stay. But what is driving this ballooning traffic?
Arbor gets its numbers from Peakflow SP sensors in 330 customers’ premises feeding into the firm’s Atlas system, which it backs up with manual surveys of important ISPs and providers not contributing to this system.
The largest attack recorded by Atlas was 325Gbps (see below), one of a handful of attacks that exceeded 2013’s peak attack size of 245Gbps, still large but starting to look old world. In 2013, the system noticed 39 attacks above 100Gbps, which compares to 159 for last year, a fourfold increase.
A closer look reveals that most of 2013’s big attacks occurred in the last quarter, a trend that simply carried on over 2014, underlining that something is going on. As for the 400Gbps attack, that was reported to Arbor by a third party and the firm was not able to confirm many details beyond its imposing size.
Increasingly, the culprit is Network Time Protocol (NTP), an important but otherwise totally ignored way for the Internet to keep its routers and server infrastructure synchronised with UTC. Not long after an infamous attack on Spamhaus in early 2013, which used something called DNS amplification to summon up potentially vast amounts of traffic, someone worked out that other protocols were open to the same trick.
NTP turned out to be a good candidate for the same spoofing/amplification treatment, notably during the almost-as-infamous attack on CloudFlare a year ago, the one Arbor mentions as hitting 325Gbps.
It might be assumed that massive DDoS attacks on the scale of the signal Spamhaus attack would be publically acknowledged but this is far from the case. ISPs and Content Delivery Networks (CDNs) continue to see them as localised issues that crop up from time to time and are nobody’s business.
Nobody else sees these attacks (customers’ pipes are typically far below the maximum size of massive DDoS events anyway) and they most definitely don’t ‘slow the Internet’ as daft stories claimed after the Spamhaus attack. What they do is to seriously annoy ISPs, the organisations that have to silently manage the traffic. There are no plaudits or awards for throwing away dead packets.
According to Arbor, the peak NTP storm was during the spring of 2014, but it’s noticeable that average NTP traffic then fell back to what are still historically high levels around the 120Gbps mark. For comparison, the background level in 2008 was 1Gbps, which should have risen a bit as more equipment was lit up since then. But it’s now trending way above that level all the time and Arbor Networks’ UK director of solutions architects, Darren Anstee told Techworld that many ISPs now rate-limit the protocol as a way of coping.
The bad news is that the Internet is choc with other protocols, many of which can be used as fuel to throw on to the DDoS bonfire, including SSDP (a growing problem), Chargen, DVMRP SNMP, as well as the pioneer, DNS. Any one of these was detected in attacks approaching or exceeding 100Gbps during 2014.