The attack, which targeted one of CloudFlare's customers, was first disclosed when CloudFlare CEO Matthew Prince tweeted, "Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating."
Later, Prince added, "Someone's got a big, new cannon. Start of ugly things to come."
The attack leveraged NTP, the Network Time Protocol that computers use to set their clocks. "Unfortunately, the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long reply to a short request," Cloudflare programmer John Graham-Cumming wrote in a blog post explaining how such attacks work. "That makes it ideal as a DDoS tool."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Prince tweeted that "each misconfigured NTP server like had a ~100 Mbps connection, with 80 percent utilization. Attacker would need ~1 Gbps connection."
"We're working to get the word out about misconfigured NTP servers to get the fundamental problem cleaned up and help better protect everyone on the Web," Prince told eWeek. "Network administrators can test if they're running a misconfigured NTP server by visiting OpenNTPProject.org."