Record-breaking DDoS attack in Europe hits 400Gbps

A distributed-denial-of-service attack peaked some 33 percent higher than last year's Spamhaus attack, the previous DDoS record-holder.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

A massive distributed-denial-of-service attack Monday reached more than 400Gbps at its peak, about 33 percent greater than last year's Spamhaus attack, the previous DDoS record-holder.

The attack was apparently directed at one of the customers of content delivery network and security provider CloudFlare, which first reported the attack. The company said it appeared that attackers leveraged a flaw in the Network Time Protocol (NTP), a network protocol used to synchronize computer clock times.

"Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating," Cloudflare CEO Matthew Price said in a tweet. "Someone's got a big, new cannon. Start of ugly things to come," he wrote in a follow-up tweet.

Price did not identify the customer targeted by the attack but did say it was directed at servers in Europe, adding that "these NTP reflection attacks are getting really nasty."

The frequency of NTP reflection attacks has grown in recent months. After an NTP attack was used to take down game servers hosting EA's Origin service, Blizzard's Battle.net, and League of Legends, among others, US-CERT issued an alert warning companies of the attack technique's growing popularity.

The basic attack technique consists of attackers querying vulnerable NTP servers for traffic counts using the victim's spoofed address.

"Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim," CERT warned. "Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim."

"Because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks," US-CERT said in its January advisory, which included suggestions on how administrators could mitigate vulnerability.

The technique's popularity has grown since the emergence of toolkits such as DNS Flooder v1.1, according to security vendor Prolexic, which said Tuesday it has observed the attack used on several clients during the past six months, sometimes with amplification factors of 50 times the originating bandwidth.

"This toolkit uses a unique method where attackers assign DNS servers with arbitrary names and utilize them as reflectors," according to Prolexic's report. "This new technique allows malicious actors to purchase, set up, and use their own DNS servers to launch reflection attacks, without the need to find open and vulnerable DNS servers on the Internet."

Monday's DDoS surpassed the attack last March that peaked with a 300Gbps torrent of traffic flooding spam fighter Spamhaus, CloudFlare, and key Internet switching stations in Amsterdam, Frankfurt, and London. That onslaught resulted, according to some reports, service slowdowns across the Internet.