In the ddos attack on Cloudflare, reportedly the largest ddos attack ever, are also Dutch ntp servers are used. By a vulnerability in the network time protocol can be ntp servers to be used by an attacker to his capacity.
In total, during the ddos attack, which with 400Gbit/s very large, well over 4500 ntp servers abused. Thereof there were at least twenty in the Netherlands and at least one in Belgium, as appears from an analysis that Cloudflare has published. The servers were hosted by clients of Leaseweb, We, KPN and Xs4all. Also UPC is on the list of networks, but it seems that it is a foreign branch of that provider.
Due to the high bandwidth of the attack on Monday occurred in several parts of Europe, internet problems, even though Cloudflare says only a limited burden of the attack to have had. Cloudflare is a company that websites of customers to protect against ddos attacks and other forms of overload. The attack would be aimed at a still unknown customer of the company.
It was an attack using ntp amplification was used. This could allow an attacker, his attack power more than two hundred times increase. By the ip address of the target to spoof, and supposedly from that ip address to a monlist request to a ntp server to send a list of the last 600 ip addresses that have had contact with the server to the specified ip address is sent. The answer is 206 times larger than the request.
Ntp amplification is possible because the request over udp is done, that in contrast to tcp no handshake is required. In addition to the network of the attacker to allow ip addresses to spoof; something that, according to the guidelines would not have been possible. Cloudflare calls network administrators, therefore, for ip-spoofing to make it impossible, if they have not already done so.
Ntp amplification is similar to dns amplification, in which the dns servers in the same way via spoofed ip addresses are verstookt. Cloudflare warns that amplification attacks via the simple network management protocol even more dangerous, because the attacker put his aanvalscapaciteit by a factor of 650 to increase. “We have seen that attackers are already experimenting,” said Cloudflare.
The ntp servers that were used in the attack