On Monday, February 10th, CloudFlare experienced a large DDoS attack, with nearly 400Gbps of NTP attack traffic hitting our network. We were not the only networks getting hit by massive NTP attacks. Around the same time, OVH reported a similarly sized attack. Since the attack we’ve heard from a number of other networks that have seen large NTP-based attacks over the last few weeks.
We see today lot of new DDoS attacks from Internet to our network. Type: NTP AMP Size: >350Gbps. No issue. VAC is great :) — Oles (@olesovhcom) February 12, 2014
John-Graham Cumming on our team wrote a blog post before the attack describing how such an attack is possible by using a combination of spoofed UDP packets and vulnerable NTP servers.
During the 400Gbps attack we saw 4,259 IPv4 addresses of involved vulnerable servers that were sending attack traffic to our network. These networks were not controlled by the attacker directly but instead were running network time protocol (NTP) servers that responded to commands that would create very large responses, thus acting as a good amplification vector. Specifically, all of these servers were used by attackers to reply large packets in response to the "monlist" command.
Some Good News
In the aftermath of this massive attack, we decided to publish the list of networks originating these attacks hoping to have them fix the problem. Since the blog post we’ve been monitoring the networks to see whether attention to this problem has helped close the vulnerable NTP servers. The results are encouraging:
After a week and a half, more than 75% of the vulnerable servers involved in the attack are now no longer vulnerable. While in some cases the servers might be temporarily unreachable, the trend is clear: network administrators have gotten the message and are closing vulnerable NTP servers.
The people behind the openntp.org project also have noticed a massive improvement of the situation worlwide:
NTP MONLIST Amplifiers down from 490k -> 349k in the last week. http://t.co/35vLsj3DZJ to check your network. — jared mauch (@jaredmauch) February 14, 2014
Notably, we’ve seen a huge decrease from OVH, who have taken significant measures to prevent NTP attacks coming from its large installed base of servers. This is an encouraging achievement from the community, deploying tremendous efforts to solve a real problem.