Some time in December 2014 an unnamed ISP experienced an NTP reflection DDoS attack that peaked at a router-straining 400Gbps, easily the largest denial of service event in Internet history, Arbor Networks' 10th Annual Infrastructure Report has revealed.
It's an apparently small detail slipped into the firm's larger narrative which is probably less important in the grand scheme of things than the fact that super-massive DDoS attacks are now common enough to have turned into dull statistics.
Message - large DDoS attacks are here to stay. But what is driving this ballooning traffic?
Arbor gets its numbers from Peakflow SP sensors in 330 customers' premises feeding into the firm's Atlas system, which it backs up with manual surveys of important ISPs and providers not contributing to this system.
The largest attack recorded by Atlas was 325Gbps (see below), one of a handful of attacks that exceeded 2013's peak attack size of 245Gbps, still large but starting to look old world. In 2013, the system noticed 39 attacks above 100Gbps, which compares to 159 for last year, a fourfold increase.
A closer look reveals that most of 2013's big attacks occurred in the last quarter, a trend that simply carried on over 2014, underlining that something is going on. As for the 400Gbps attack, that was reported to Arbor by a third party and the firm was not able to confirm many details beyond its imposing size.
Increasingly, the culprit is Network Time Protocol (NTP), an important but otherwise totally ignored way for the Internet to keep its routers and server infrastructure synchronised with UTC. Not long after an infamous attack on Spamhaus in early 2013, which used something called DNS amplification to summon up potentially vast amounts of traffic, someone worked out that other protocols were open to the same trick.
NTP turned out to be a good candidate for the same spoofing/amplification treatment, notably during the almost-as-infamous attack on CloudFlare a year ago, the one Arbor mentions as hitting 325Gbps.
It might be assumed that massive DDoS attacks on the scale of the signal Spamhaus attack would be publically acknowledged but this is far from the case. ISPs and Content Delivery Networks (CDNs) continue to see them as localised issues that crop up from time to time and are nobody's business.
Nobody else sees these attacks (customers' pipes are typically far below the maximum size of massive DDoS events anyway) and they most definitely don't 'slow the Internet' as daft stories claimed after the Spamhaus attack. What they do is to seriously annoy ISPs, the organisations that have to silently manage the traffic. There are no plaudits or awards for throwing away dead packets.
Sign up for MIS Asia eNewsletters.