One of the largest distributed denial-of-service NTP reflection attack with a magnitude of 255 Gbps, took down www.quikr.com and disturbed the normal operations of Netmagic and its upstream ISPs. As the attack was observed beyond 255 Gbps, blackholed the IP internationally.
This is the largest distributed denial-of-service (DDoS) NTP reflection attack happened in India specially with an Indian hosted site , peaked at 250 Gbps, The biggest one is recorded in Us against one of the customers of CloudFlare was at a magnitude of 400Gbps.
What is NTP reflection attack
NTP is Network time protocol and it’s used to synch the time between client and server, it is a UDP protocol and it’s run on port 123. In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host. In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic.NTP-based reflection attacks are designed to cause high impact with little effort
With in couple of hours Quikr was up and running . Special thanks to Netmagic and its team to identify and isolate the attack.