[Safety Knowledge] Let's talk about the largest 400G mysterious DDoS attack in history

On February 11, 2014, CloudFlare revealed that its customers were suffering from NTP at 400GFloodAttack, refresh historyDDoSIn addition to the peak traffic of the attack, NTP Flood attacks have attracted much attention in the industry. In fact, since the hacker group DERP launched a reflection attack using NTP, NTP reflection attacks accounted for 69% of DoS attack traffic in the first week of the new year 2014, and the average size of the entire NTP attack was about 7.3G bps per second, which was three times higher than the average attack traffic observed in December 2013.

Let's look at NTP belowserverprinciple.

NTP (network time protocol) is a standard network time synchronization protocol that adopts a hierarchical time distribution model. The network architecture mainly includes master time servers, slave time servers, and clients. The main time server is located at the root node and is responsible for synchronizing with high-precision time sources to provide time services to other nodes. Each client is synchronized by the time server from the time server through the primary server.

Taking a large enterprise network as an example, the enterprise builds its own time server, which is responsible for synchronizing time from the master time server, and then is responsible for synchronizing the time to the enterprise's business systems. In order to ensure that the time synchronization delay is small, each country has built a large number of time servers according to the region as the main time server to meet the time synchronization requirements of various Internet business systems.

With the rapid development of network informatization, all walks of life, including finance, telecommunications, industry, railway transportation, air transportation and other industries, are increasingly dependent on Ethernet technology. All kinds of thingsApplication:The system consists of different servers, such as electronsBusinessA website consists of a web server, an authentication server, and a database server, and for a web application to function properly, it is necessary to ensure that the clock between the web server, authentication server, and database server is synchronized in real time. For example, distributed cloud computing systems, real-time backup systems, billing systems, network security authentication systems, and even basic network management all rely on accurate time synchronization.

Why is the mysterious NTP Flood so popular with hackers?

NTP is a server/client model based on the UDP protocol, which has a natural insecurity flaw due to the unconnected nature of the UDP protocol (unlike TCP, which has a three-way handshake process). Hackers officially exploited the insecurity vulnerability of NTP servers to launch DDoS attacks. In just 2 steps, you can easily achieve the attack effect of four or two jacks.

Step 1: Find the target, including the attack target and NTP server resources on the network.

Step 2: Forging the IP address of the "attack target" to send a request clock synchronization request packet to the NTP server, in order to increase the attack intensity, the request packet sent is a Monlist request packet, which is more powerful. The NTP protocol includes a monlist function that monitors the NTP server, which responds to the monlist command and returns the IP addresses of the last 600 clients that have been synchronized with it. The response packets are divided according to every 6 IPs, and up to 100 response packets will be formed for an NTP monlist request, which has strong amplification capabilities. The lab simulation test shows that when the size of the request packet is 234 bytes, each response packet is 482 bytes, and based on this data, the amplification multiple is calculated: 482*100/234 = 206 times!

Wow haha~~~ The attack effect is obvious, and the attacked target will soon have a denial of service, and even the entire network will be congested.

Since the hacker group DERP discovered the effect of NTP reflection attacks, it has used NTP reflection attacks in a series of DDoS attacks against major game companies including EA and Blizzard at the end of December 2013. It seems that the mysterious NTP reflection attack is actually not mysterious, and it has the same effect as the DNS reflection attack, which is launched by using the insecurity vulnerability of the UDP protocol and using open servers, but the difference is that NTP is more threatening, because each data center server needs clock synchronization and cannot be protected by filtering protocols and ports.

To sum up, the biggest feature of reflective attacks is that they use various protocol vulnerabilities to amplify the attack effect, but they are inseparable, as long as they pinch the "seven inches" of the attack, they can fundamentally contain the attack. The "seven inches" of the reflected attack are its traffic anomalies. This requires the protection system to be able to detect traffic anomalies in time, and it is far from enough to find abnormalities, and the protection system must have enough performance to resist this simple and rough attack, you must know that the current attacks are often 100G, if the protection system does not have a few hundred G protection capabilities, even if it is found, it can only stare.