DDoS attacks could cost your company up to $450,000
The largest ever known DDoS attack has been reported hitting victims in the US and Europe, peaking at over 400Gbps. Reuters

Distributed denial of service attacks are one of the most popular tools available to cybercriminals today. Whether you want to knock your competition offline or protest at some perceived injustice, DDoS attacks are an ideal weapon.

Last year we saw the "the DDoS attack that almost broke the internet" when Spamhaus was hit with a 300 gigabit per second (Gbps) attack, which at the time was 200Gbps bigger than anything seen previously.

On Monday that record was beaten once again, with DDoS-mitigation company CloudFlare reporting one of their clients was hit with an attack which peaked at over 400Gbps.

But even this massive attack will seem miniscule by this time next year according to one security expert.

Next year I expect to see this at least double in terms of traffic/sec.
- Tim Keanini, Lancope

Tim Keanini, chief technology officer at Lancope says: "The reason these attacks are getting larger is the simple fact that the pipes are getting larger. At these rates, you are limited by the capacity of some transit link to the victim. The bigger the pipes, the greater the volumetric attack."


That would mean that in 2015 websites would have to be able to cope with DDoS attacks of up to 800Gbps in size or face sustained period offline.

DDoS attacks were once eloquently described by security expert Graham Cluley as "15 fat men trying to fit through a revolving door all at once - nothing moves."

However the trend in recent years of using amplification techniques means that metaphor should now probably read "150 fat men trying to fit through a revolving door."

Amplification techniques, such as the one used in this week's attack, mean the attacker doesn't need to have a huge amount of bandwidth at his or her disposal, as they are able to leverage the architecture of the internet to send a huge amount of traffic to the victim's system.

"Just another reflection technique"

While the Spamhaus attack was carried out using DNS amplification, the attack this week used the increasingly-popular Network Time Protocol (NTP) amplification technique.

CloudFlare NTP Reflection Attack
A graph of what it looks like when a device participates in the NTP DDoS against CloudFlare Twitter/@ctrl_alt_esc

Eduardo de la Arada, research team engineer for AlienVault describes how the technique works:

"It's just another reflection technique. An NTP server is a server used to synchronize system clocks [on desktops, laptops, even smartphones]. One of the available requests is MON_GETLIST which returns the addresses of up to the last 600 machines that the NTP server has interacted with.

"So, with a small (234 bytes) request, the server could respond with a big package (48k more or less). You can modify the sender address to the targets ones, and send a lot of requests to multiple NTP servers, the generated traffic sent to the target could be enormous."

Not properly patched

However these attacks are only possible because those in charge of the servers being used haven't properly patched the software running them, as Keanini points out:

"This type of amplification attack is as old as the Internet itself and, as long as there is a protocol out there by which a single packet generates 10x (or greater) packets in return, we will have this type of problem.

The Internet is like having a neighbour who likes to play with explosives in the apartment next door.
- Tim Keanini, Lancope

"NTP, DNS, and a few other UDP (connectionless protocols) services have had vulnerable versions used in this type of DDoS. All of them patched and fixed but the problem is that people don't manage their services the way that they should. The fix has been available for a very long time and websites exist that freely test for these vulnerabilities but still the administrators of these servers are irresponsibly leaving them unpatched and are helping attackers do this type of damage. The Internet is like having a neighbour who likes to play with explosives in the apartment next door."

According to CloudFlare's CEO Matthew Prince there are 4,500 of these misconfigured NTP servers online at the moment - meaning the potential for these attacks is worryingly high.

Bigger attack, more often

Darren Anstee of Arbor networks, whose Atlas system recorded a 325Gbps attack in France this week, (which may or may not be related to the attack reported by CloudFlare), believes bigger attacks like these are going to become more common:

"Larger attacks are becoming more common and network operators need to ensure that they have the people, processes and infrastructure in place to handle large attack volumes before service, potentially for multiple customers, is impacted."

CloudFlare's Matthew Prince says he think the attackers who carried out this week's attack would likely only need a connection of around 1Gbps in order to generate a 400Gbps attack. When asked what would happen when someone with a 10Gbps connection carried out an attack like this, Prince said that his company was "rapidly expanding capacity" to cope with this possibility.

Ashley Stephenson, CEO of Corero Network Security says customers now expect thier service provider to do more in order to protect themselves against this type of attack:

"There is a growing expectation that ISPs should do more to protect their customers from these attacks by enhancing their network infrastructure and services with an additional layer of security, capable of inspecting and detecting malicious traffic closer to the source before it converges on the intended DDoS victim – who is frequently one of their own customers."