Matthew Prince, CEO of CloudFlare confirmed in an email Monday evening that the attack on the CloudFlare network that day was indeed massive. Like 400 Gbps massive. Data reported since the email indicate that the scale of the massive NTP reflection attack indeed hit 400Gbps – a whopping number that is bigger than any attack ever seen, even beyond the attack last year against Spamhaus. The attack was against one of its customers and appeared to have caused slowdowns particularly in Europe. Prince’s email:
Attack was over 300Gbps for sure. We think it may have hit 400Gbps, but we’re still aggregating the data. Attack used NTP reflection technique. We’ve seen a significant rise in these type of attacks over the last few months. Here’s more on how they work:
NTP reflection is even more effective than DNS reflection because the amplification factor can be as much as 10x as high per misconfigured machine. This means that while misconfigured NTP servers are a bit harder to find than misconfigured DNS resolvers, the attacks that you can launch with NTP reflection can be as big or bigger.
We saw traffic from the attack to all of our data centers worldwide. We were able to mitigate the attack but did see congestion in Europe which slowed our performance there. We’ve heard scattered reports of upstream congestion affecting other networks that were not directly associated with CloudFlare. There was an AboveNet outage around the same time that I do not think was related to this attack.
The hacker group DerpTrolling was quick to claim responsibility for the attacks on its Twitter account:
Cloudflare EU #offline
— DERP (@DerpTrolling) February 10, 2014
Prince’s response about these claims was justifiably open-ended:
Finally, just because someone takes credit on Twitter doesn’t mean they were the actual person behind the attack so be careful with attribution. We don’t know who was behind it and we haven’t received permission from the customer who was targeted to release their identity or any further details.
As the astonishing scale of the attack started to sink in across the web, Prince tweeted late yesterday:
— Matthew Prince (@eastdakota) February 11, 2014
He has shared what he could, and as he states we may never know who is behind this attack, but DerpTrolling persists:
We’ve never been able to meter the power of our glorious GLB™, but according to CloudFlare it produced over 400GB/s.
— DERP (@DerpTrolling) February 11, 2014
DerpTrolling of course is known for their DDoS trolling, and many of their targets have been in the gaming circles thus far. As Kyt Dotson reports:
During New Years Eve the DDOS troll hit Guild Wars 2 (knocking the login servers offline for a while [reddit]) much to the ire of players who found themselves unable to complete monthly projects. Then the trolls moved onto DDOSing the login servers for Minecraft, delivering equally frustrating results.
Just a few short weeks ago, we published Prince’s predictions for 2014 and it included a forecast for massive scale attacks that would have such impact that there would be significant regional outages. This didn’t take long to manifest and as you can see here, Prince absolutely nailed it with this prediction:
a severe attack that would be at such a scale that it would cause a big point of disruption to large parts of the internet. We have seen attacks that are over a terabit in scale and we’re just teetering as an industry on the first significant massive DDoS internet outage, which will have a big impact and cause damage. We can fully predict that the first of these events will be happening, you can expect that in early 2014.
A big threat that has become quite real, and it hovers over the US as well:
it’s just a matter of scale and probability. The US has 24TB of capacity and that number could be threatened with the scale of some of these existing attacks. With those kinds of odds, you can coordinate and cause some very big issues, the impact would be huge and at a minimum you will see some significant regional disruptions.
Just as other DDoS attacks, the threat of reflection attacks is growing, but there is a significant impact aspect due to the scale of these attacks. Prince’s predictions, his comments yesterday and the events of yesterday form a picture of a big year for DDoS news.