Reflection DDoS attacks use internet facilities to amplify the volume of traffic directed at the victim. The previous largest attack occurred last year against Spamhaus. That one used 'misconfigured' DNS servers and reportedly peaked at 300 Gbps. This one uses the network time protocol (NTP) and is believed to have reached 400 gbps.
Eduardo de la Arada, a research team engineer at AlienVault, explains the methodology: "An NTP server is a server used to synchronize the system clock. One of the available requests is MON_GETLIST, it returns the addresses of up to the last 600 machines that the NTP server has interacted with. So, with a small (234 bytes) request, the server could respond with a big package (48k more or less). You can modify the sender address to the target's ones, and send a lot of requests to multiple NTP servers – the generated traffic sent to the target could be enormous."
Ashley Stephenson, CEO of Corero Network Security, points out that the technique is not new. "Actually it’s a technique first discussed in the DDoS context back in 2011 but it has been making the headlines quite frequently in recent months." Prince confirmed this. It's nothing new, "Just a big NTP attack," he tweeted. But he also commented, "someone's got a big, new cannon. Start of ugly things to come."
The delay between discussion and serious implementation could be down to the need to locate as many susceptible servers to do the reflection/amplification as possible. Not all NTP servers are susceptible, so the attackers have had to scan the internet to find them. "The more servers they have collected," explained de la Arada, "the stronger the attack will be. Not all servers have this feature, it was removed, so the attackers must scan internet looking for a version older than 4.2.7." According to Prince, this attack, "based on sampled data appears to [involve] just over 4,500 misconfigured NTP servers."
The NTP issue has long been patched, "but the problem is that people don’t manage their services the way that they should," comments Tim Keanini, CTO at Lancope. "The fix has been available for a very long time and websites exist that freely test for these vulnerabilities – but still the administrators of these servers are irresponsibly leaving them unpatched and are helping attackers do this type of damage. The Internet," he adds, "is like having a neighbur who likes to play with explosives in the apartment next door."
The concern now, however, is whether this is just the start of a new season of massive DDoS attacks. "It looks like this kind of attack (NTP based) has become popular during the Christmas Holidays," commented de la Arada. "But it is just a matter of time before a large number of the NTP servers are going to be updated – or the attackers discover another reflection technique to improve their DDoS attacks."
"The reason these attacks are getting larger is the simple fact that the pipes are getting larger," said Keanini. The bigger the pipes, the greater the attack. "Next year I expect to see this at least double in terms of traffic/sec.”
Stephenson agrees that this new 'record' will not last long. "DDoS attack motivations are wide ranging and unpredictable, meanwhile attack tools and the sophistication of the attacks continue to evolve. It’s a volatile combination that can strike any Internet business at any moment." He believes that ISPs need to do more to protect their customers, "by enhancing their network infrastructure and services with an additional layer of security, capable of inspecting and detecting malicious traffic closer to the source before it converges on the intended DDoS victim."