Cyber Incident Victim: Cloudflare
Date:
Feb 2014
Location:
United States of America
Summary
A massive distributed denial-of-service attack targeted a client of Cloudflare, generating over 400 gigabits per second of malicious traffic and marking the largest such attack recorded at the time. The assault exploited Network Time Protocol reflection, leveraging vulnerable servers to amplify fraudulent synchronization requests via the "monlist" command, which forced servers to overwhelm the target with excessive response data. This technique mirrored earlier DNS amplification methods but utilized publicly accessible time servers, which numbered in the thousands and enabled greater attack scalability due to their relative abundance compared to increasingly secured DNS infrastructure. The incident underscored evolving DDoS tactics exploiting protocol vulnerabilities for amplified traffic floods.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 11, 2014, Cloudflare’s content delivery network experienced a distributed denial-of-service (DDoS) attack targeting one of its clients, generating traffic volumes exceeding 400 gigabits per second—the largest such attack recorded at the time. The attack primarily impacted Cloudflare’s data centers in Europe and the United States. Attackers exploited the Network Time Protocol (NTP) using a reflection technique, sending fraudulent synchronization requests to NTP servers that then flooded the target with amplified responses. This method leveraged a vulnerability in NTP’s "monlist" command, which caused servers to respond with the IP addresses of the last 600 devices connected to them, significantly multiplying the volume of data directed at the victim. The attack mirrored tactics previously employed by the group DERP Trolling against gaming sites, though the article does not confirm this group’s involvement in the Cloudflare incident. NTP reflection attacks were relatively novel compared to more established methods like DNS amplification, which had been used in the prior record-setting attack against Spamhaus. DNS amplification exploited open DNS servers to generate large response packets, but efforts to reduce vulnerable DNS servers had pushed attackers toward alternative protocols like NTP.

The scale of the attack highlighted the susceptibility of public NTP infrastructure, with over 3,000 active time servers exposed to abuse and many more potentially vulnerable on smaller networks. Unlike DNS amplification, NTP typically involved smaller data exchanges, but the monlist vulnerability enabled attackers to achieve comparable amplification effects. Cloudflare CEO Matthew Prince publicly confirmed the attack’s unprecedented bandwidth. The incident underscored the evolving nature of DDoS tactics as attackers shifted to less-secured protocols when traditional methods became mitigated. While the article does not detail Cloudflare’s specific countermeasures during the event, it notes that network operators could diminish such attacks by configuring firewalls to block external NTP requests. No specific consequences for Cloudflare’s client or operational disruptions were described, but the event emphasized the persistent challenge of protocol-level vulnerabilities in enabling large-scale DDoS campaigns.
