Dramatic Drop in Vulnerable NTP Servers Used in DDoS Attacks

95 percent of vulnerable NTP servers leveraged in massive DDoS attacks earlier this year have been patched, but the remaining servers still have experts concerned.

While patching of webservers vulnerable to the Heartbleed OpenSSL bug may have stalled, the same cannot be said about repairs to NTP servers that could be leveraged in devastating amplification attacks.

A spate of distributed denial-of-service attacks (DDoS) tore through companies in January and February, some reaching 400 Gbps and keeping critical services offline. Attackers took advantage of a weakness in the Network Time Protocol (NTP) to send copious amounts of traffic to spoofed destinations. The DDoS attacks were cheap and easy to pull off, and garnered the concern of among others US-CERT, which issued an advisory in January at the height of the takedowns.

At the time, more than 430,000 servers could be used in attacks; that number crashed by March to just more than 21,000 and by May, a hair over 17,000 servers were still vulnerable, according to research released today by security company NSFocus.

“It’s a huge drop,” said Terence Chong, solutions architect at NSFocus. “Once the vulnerability had been discovered, and advisories were put out, organizations managing these open servers took corrective action to patch their servers and bring the software to the latest version.”

The latest version disabled the monlist feature, or MON_GETLIST command in NTP servers, which are used to synchronize time settings across computers. The feature enables administrators to get a list of the last 600 machines interacting with the NTP server, a classic set-and-forget feature. Attackers were using the feature to forge monlist requests from their targets, which were flooded with UDP traffic. The responses can be amplified to be much larger than the original request and with enough NTP servers returning requests, websites and servers are easily overrun with traffic.

Organizations were urged to immediately patch, or manually disable the monlist command, in order to alleviate the problem. And while 95 percent have, the remaining 17,000 servers are still a concern, Chong said.

“Seventeen thousand is still a lot of servers out there and they may not be patched for a long time,” Chong said. “If they haven’t been patched yet, it could be because the server is not properly documented or managed, and may not be discovered for quite some time.”

NSFocus conducted worldwide scans looking for NTP servers in order to collect its data. Chong said the company still observes attacks leveraging a percentage of the remaining unpatched servers, and cautions that while most have been patched, as of May, more than 2,000 remain that have the capability to launch attacks with 700x amplification.

“Any amplification attacks are a cheap method for DDoS attackers to launch,” Chong said. “They can write a script that creates 10x to 500x amplification traffic volume that could bring down a site easily versus the traditional method of using botnets under their control to generate traffic themselves, which takes a lot of effort.”

In April, Arbor Networks reported data that showed 85 percent of DDoS attacks that topped 100 Gbps were NTP amplification attacks. CloudFlare reported a 400 Gbps NTP amplification attack against one of its customers, topping a 300 Gbps attack against Spamhaus that relied on DNS amplification instead.

Chong said it’s crucial the remaining NTP servers be patched. NTP servers that also allow source IP address spoofing and do not follow BCP38, a standard that defines how to defeat IP source address spoofing, are also liable to become sources of future DDoS attacks.

“It’s a clever attack. If I generate a script that sends a request every second, imagine the effect of the returning packets,” Chong said.

Suggested articles