CloudFlare, the company at the centre of biggest distributed denial of service (DDoS) attack ever reported, has warned that bigger, more powerful methods of attack are actively being tested by cyber-criminals.
Speaking in the wake of the 400Gbps DDoS attack which hit one of its customers this week, CEO Matthew Prince has given some more details about the attack, which affected every one of the company's 24 data centres.
Prince said: "While we were generally able to mitigate the attack, it was large enough that it caused network congestion in parts of Europe."
CloudFlare provides DDoS mitigation services for customers and is constantly seeing attacks against the networks it protects, with Prince revealing in a blog post that the company has "seen a handful of other attacks at this scale."
The attackers used a technique called NTP reflection which allows the attacker to generate huge volumes of traffic without necessarily having a major amount of bandwidth at their disposal.
"An attacker with a 1Gbps connection can theoretically generate more than 200Gbps of DDoS traffic" Prince claimed.
In this case the attacker used 4,529 NTP servers running on 1,298 different networks with each of these servers sending on average 87Mbps of traffic to the intended victim on CloudFlare's network.
An NTP amplification attack begins with a server controlled by an attacker on a network that allows source IP address spoofing. The attacker sends a request to an NTP server which looks like it comes from the victim's system.
The request is a MONLIST command which returns the last 600 IP addresses that accessed the server in question. What this means is that the response from the server to the MONLIST command is 206 times bigger than the request, and that huge amount of traffic is sent to the victim, flooding their system.
However, there is another attack technique which promises to create even bigger problems.
Simple Network Management Protocol (SNMP) is used for managing devices on IP networks, but more importantly has an amplification factor of 650x – more than three times the amplification factor of NTP attacks.
Prince warns: "We've already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up."
SNMP attacks are not new, with Spamhaus – the anti-spamming company which was hit with a 300Gbps attack in 2013 – reporting in 2011 that it had been the subject of such an attack.
Iun the meantime CloudFlare are talking to the network administrators responsible for the NTP servers which were used in this weeks attack to advise them to restrict access to their servers and disable the MONLIST command.