Researchers at Arbor Networks are reporting a significant spike in volumetric attacks driven by the growth of Network Time Protocol [NTP] reflection/amplification attacks.
In Arbor Networks’ ATLAS Q1 2014 Update, the firm noted that the average NTP traffic globally in November 2013 was 1.29 GB/sec. By February 2013, it was 351.64 GB/sec.
NTP is used to synchronize clocks over a computer network. According to Arbor Networks, any UDP [user datagram protocol]-based service such as DNS or Simple Network Management Protocol [SNMP] is a potential vector for DDoS attacks because the protocol is connectionless and source IP addresses can be spoofed by attackers who have control of compromised hosts on networks that have not implemented anti-spoofing measures.
NTP is popular due to its high amplification ratio, the firm said.
“Arbor has been monitoring and mitigating DDoS attacks since 2000,” said Arbor Networks Director of Solutions Architects Darren Anstee, in a statement. “The spike in the size and frequency of large attacks so far in 2014 has been unprecedented. These attacks have become so large they pose a very serious threat to Internet infrastructure, from the ISP to the enterprise.”
The United States, France and Australia were the most common targets overall, with the US and France being the most common targets of large attacks, according to the firm.
DDoS attacks can come from a multitude of sources. Researchers at Akamai Technologies – which recently purchased DDoS solution provider Prolexic Technologies – noted the rise of a DDoS crimeware kit known as Storm Network Stress Tester that appears to be designed to target users in Asia running Windows XP.
According to Akamai, the kit is unrelated to the Storm botnet that compromised millions of computers several years ago.
“The Storm crimeware kit can generate up to 12 Mbps of attack traffic leveraging a single infected host with a single attack vector,” according to an advisory by Akamai’s Prolexic Security Engineering and Response Team. “However, Storm is designed to support up to four simultaneous DDoS attack types and can generate significant payloads when used in attacks involving a large number of compromised hosts. In addition to its multiple DDoS attack capabilities, it can be used to manipulate infected hosts remotely.”
“The analysis of the Storm Network Stress Tester crimeware kit illustrates how readily malicious actors have been able to set up and control a botnet,” according to the firm. “When coupled with a high infection rate, attackers have been able to launch major DDoS attacks against their targets. Security features in newer Windows operating systems can make this crimeware kit less effective, but more sophisticated attackers have bypassed these limitations and increased the rate of infection.”