• Hackers massively engage in server-tipping
    18 replies, posted
[url]http://www.bbc.co.uk/news/technology-26136774[/url] [QUOTE=BBC]A massive attack that exploited a key vulnerability in the infrastructure of the internet is the "start of ugly things to come", it has been warned. Online security specialists Cloudflare said it recorded the "biggest" attack of its kind on Monday. Hackers used weaknesses in the Network Time Protocol (NTP), a system used to synchronise computer clocks, to flood servers with huge amounts of data. ... Cloudflare chief executive Matthew Prince said his firm had measured the "very big" attack at about 400 gigabits per second (Gbps), 100Gbps larger than an attack on anti-spam service Spamhaus last year.[/QUOTE] [QUOTE=BBC]Attackers used a well-known method to bring down a system known as Denial of Service (DoS) - in which huge amounts of data are forced on a target, [B]causing it to fall over.[/B][/QUOTE] Damn those precariously balanced servers. Oh, and how they did it: [QUOTE=BBC]A computer needing to synchronise time with the NTP will send a small amount of data to make the request. The NTP will then reply by sending data back. The vulnerability lies with two weaknesses. Firstly, the amount of data the NTP sends back is bigger than the amount it receives, meaning an attack is instantly amplified. Secondly, the original computer's location can be "spoofed", tricking the NTP into sending the information back to somewhere else. In this attack, it is likely that many machines were used to make requests to the NTP. Hackers spoofed their location so that the massive amounts of data from the NTP were diverted to a single target.[/QUOTE]
That is incredibly clever and insidious.
Isn't this just a reflect attack though? I remember this same trick being used involving the MW2 server search that caused several MB to be directed towards the target.
Why do DDoS's still get into the news?
This happens at the same time cheatpunch came online... [I]Coincidence? You decide.[/I]
[QUOTE=proboardslol;43875105]Why do DDoS's still get into the news?[/QUOTE] Honestly, entirely because I could make bad puns. Although I can't answer for the BBC
[QUOTE=Capnscarlet;43875188]Honestly, entirely because I could make bad puns. Although I can't answer for the BBC[/QUOTE] Well bad puns is the point of SH, obviously, but as for the BBC I am clueless
Interesting, I wonder what the ratios are for data sent to the NTP server and the data sent by the server. Don't people use this with DNS servers nowadays though? I thought that had like a 70:1 ratio or something.
[QUOTE=proboardslol;43875233]Well bad puns is the point of SH, obviously, but as for the BBC I am clueless[/QUOTE] I guess it's more that us internet people are kind of adjusted to DoS attacks, to the public it's not necessarily common knowledge. And if it actually affected anyone who'd since been wondering "why wasn't that thing working today" it's newsworthy - although they say the target was unknown, so I kind of doubt that's the case.
ntp reflection is 18x amp if i remember correctly
I'll be here all week, tip your server.
we should really get the international community together and finally lay down a geneva convention of cyber-warfare, but we wont so this shit will still continue
crazy. why didnt i think of that.
[QUOTE=proboardslol;43875105]Why do DDoS's still get into the news?[/QUOTE] This is the largest DDOS ever, peaking at over 400 Gbps
Keep in mind this is what •••••••••••• used. He took out Dota2/LoL/Club Penguin (lol) and a bunch of other huge websites/companies simply using NTP
For those of you who admin NTPd servers, here is the security advisory: [quote] References: CVE-2013-5211 / VU#348126 Versions: All releases prior to 4.2.7p26 Date Resolved: 2010/04/24 Summary: Unrestricted access to the monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013 [b]Mitigation:[/b] Upgrade to 4.2.7p26 or later. Users of versions before 4.2.7p26 should either: Use noquery in your default restrictions to block all status queries. Use disable monitor to disable the ntpdc -c monlist command while still allowing other status queries.[/quote] [url]http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using[/url] AKA Fixed in 4.2.7p26 or later, problem is ntp isn't something that exactly needs feature updates every few months so it rarely gets updated
I thought hackers were tipping restaurant servers :v: Pretty crazy though. Never heard of a DDOS this big.
But like, DNS reflection is worse.
I prefer going to the center the server is hosted and pushing the server over myself.
Sorry, you need to Log In to post a reply to this thread.