NTP Amplified DDoS Attacks on the Rise

NTP amplification DDoS attacks are on the rise despite an effort to close off the holes in network time protocol servers that enable such attacks.

An ever-shrinking number of vulnerable network time protocol (NTP) servers are being used with customized distributed denial of service (DDoS) toolkits to perform increasingly potent NTP amplification attacks.

According to the DDoS mitigation specialists at Prolexic, who issued a high alert DDoS attack threat advisory this morning, high-bandwidth NTP amplification DDoS attacks are up 371.43 percent in the last 30 days. This increase comes despite a high-level of awareness regarding the fact that vulnerable NTP servers can be exploited to amplify DDoS attacks and a concerted effort throughout the security community to decrease the number of vulnerable NTP servers.

“During the month of February, we saw the use of NTP amplification attacks surge 371 percent against our client base,” said Stuart Scholly, a senior vice president and general manager of security at Akamai Technologies, who recently acquired Prolexic. “In fact, the largest attacks we’ve seen on our network this year have all been NTP amplification attacks.”

Not only did the overall number of NTP amplification attacks increase from January to February, but so too did the average peak bandwidth of DDoS attacks (up 217.97 percent) and the average peak volume of DDoS attacks (up 807.48 percent). In addition, such attacks are affecting more industries than ever as well, including the finance, gaming, e-commerce, Internet, media, education, software-as-a-service (SaaS), and security industries.

Perhaps the most exploitable aspect of NTP is the monlist request. One of the more recent and commonly deployed DDoS toolkits uses an NTP server’s own list of recent server connections – known as its monlist and containing as many as 600 IP addresses – as the payload to create malicious traffic at the target site. While the method is not new, Prolexic claims it is certainly garnering wider use than it previously has.

In their advisory, Prolexic notes that the ongoing effort to purge the Internet of vulnerable NTP servers is driving attackers to develop new tools enabling them to launch potent attacks with fewer servers. As their report makes clear, the existing vulnerable NTP servers are more than capable of reaching crippling DDoS amplification levels.

In a lab environment, Prolexic simulated NTP amplification attacks and found that the method could amplify the bandwidth and volume of DDoS attacks by 300 times and 50 times respectively. The company notes that the results of these test reflect a “perfect storm” scenario and that real-world attacks would be less effective.

Suggested articles