A distributed denial-of-service attack targeting a client of the content delivery network Cloudflare reached new highs in malicious traffic today, striking at the company’s data centers in Europe and the US. According to a Twitter post by Cloudflare CEO Matthew Prince, the full volume of the attack exceeded 400 gigabits per second—making it the largest DDoS attack ever recorded.
The attack used Network Time Protocol (NTP) reflection, the same technique used in recent attacks against gaming sites by a group called DERP Trolling. NTP is used to synchronize the time settings on computers across the Internet. The attack made fraudulent synchronization requests to NTP servers that caused them to send a flood of replies back at the targeted sites.
Reflection attacks have been a mainstay of DDoS tools and botnets, but the use of NTP in such attacks is relatively new. Last year’s attack on Spamhaus, which previously set the record for the largest DDoS ever, used a Domain Name Service (DNS) protocol attack—a much more common approach that takes advantage of the Internet’s directory service, forging requests for DNS lookups from the intended target and sending them to scores of open DNS servers. The size of the traffic directed back at the target from these requests far exceeds the size of the requests sent to the DNS servers, which is why the technique is often called a DNS amplification attack.