Cyber-attacks: someone’s got a big new cannon claims Cloudfare’s chief executive

How seriously should governments and businesses take the threat of cyber- attack? Well, in the view of Matthew Price, chief executive of online security experts, Cloudfare, the answer is very seriously indeed. On his social media account he highlighted the scale of the problem by tweeting:

“Someone’s got big new cannon – start of ugly things to come.”

So what’s got Cloudfare in such a panic? What threat was he referring to? Well it’s a cyber-attack that threatens and exploits a key vulnerability in the infrastructure of the internet – the Network Time Protocol. The vulnerability was spotted during the biggest attack of its kind last week. Hackers used weaknesses in the Network Time Protocol (NTP), a system used to synchronise computer clocks, to flood servers with huge amounts of data. Fortunately Cloudfare was able to mitigate the attack.

The exact target of this latest cyber-attack remains unclear, but Cloudfare maintains it was directed at servers in Europe. The attack was carried out using a Denial of Service (DoS) method, forcing huge amounts of data on the chosen target and causing it to grind to a halt. Cloudfare’s Matthew Prince claimed his firm had measured the ‘very big’ attack at approximately 400 gigabits a second: to put that into some type of context, that’s 100Gbps larger than the attack on anti-spam service, Spamhaus, last year.

Did this attack come completely out of the blue? Well, actually no it didn’t. Cloudfare and other online security experts have been warning for some time that malicious cyber-attacks of this kind could potentially be used to force popular services offline. Three months prior to the attack Cloudfare published a report warning that attacks on the NTP were a distinct possibility, and gave details of how web hosts could best try to protect their customers.

NTP servers, of which there are thousands around the world, are designed to keep computers synchronised to the same time. The basic operational tenets of NTP were drawn up in 1985; a time when the prospect of malicious activity was not considered. Although there have been minor changes since then, it effectively operates in much the same way today.

A computer needing to synchronise time with the NTP will send a small amount of data to make the request: the NTP will then reply by sending data back. However, there are weaknesses in this system that can lead to vulnerability: the first is that the amount of data the NTP sends back is bigger than the amount it receives, meaning an attack is instantly amplified, and secondly the original computer’s location can be “spoofed”, tricking the NTP into sending the information back to somewhere else.

In the latest attack, Cloudfare believes it is likely that many machines were used to make requests to the NTP. Hackers then spoofed their location so that the massive amounts of data from the NTP were diverted to a single target:

“Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the internet,” Cloudfare explained

Protocols like NTP may be essential to the smooth functioning of the internet, but are they really secure these days? Well, not according to Prof Alan Woodward, an independent cyber-security consultant. He believes many of these key protocols are vulnerable, and that the best we can hope to achieve is the mitigation of risk. He told the BBC that governments and businesses should utilise technology that can spot when large amounts of data was heading for one destination and shut off the connection.

If your business needs help with security reviews, penetration testing or web security solutions, please contact Krypsys on 01273 044072 or [email protected].