Volume of NTP Amplification Attacks Getting Louder

NTP amplification attacks account for the majority of DDoS attacks that exceed 100 Gbps, according to Arbor Networks.

No security arena is better representative of the cat and mouse game between hackers and defenders than DDoS attacks and prevention/mitigation.

Enterprises and service providers have invested heavily in DDoS mitigations in order to keep critical services available. That’s forced hackers to crank up the volume on attacks, and they’re getting louder by the minute.

First-quarter numbers from Arbor Networks illustrate the point that volumetric attacks, where hackers leverage open DNS resolvers and open NTP servers to launch massive attacks, are already exceeding 2013 totals. Attacks of more than 20 Gbps in Q1 have already toppled all of last year’s similar attacks by 1½ times; 72 incidents of more than 100 Gbps were tracked with the peak attack at 325 Gbps.

The primary means by which hackers are amplifying attacks is through the abuse of a known weakness in a core Internet service known as Network Time Protocol, or NTP. Arbor said that its data shows that 85 percent of DDoS attacks of more than 100 Gbps are NTP reflection attacks; the largest attack came in February when CloudFlare reported a massive attack against one of its customers topping out at 400 Gbps, dwarfing the 300 Gbps attack against Spamhaus last year that relied on DNS amplification instead.

On a technical level, NTP amplification attacks are slightly simpler to pull off because attackers require fewer servers and get a greater return for their abuse.

“The reason has to do with the amplification factor,” said Arbor solutions architect Gary Sockrider. “With NTP reflection attacks, you get 1000 times the amplification; 1000 times the size of the query is reflected back. There’s more cause for alarm with NTP attacks because attackers get a better response rate.”

US-CERT issued an advisory in January warning companies that hackers were exploiting NTP vulnerabilities to flood networks with UDP traffic. NTP servers are publicly available machines used to synchronize computer clocks. With NTP amplification attacks, hackers exploit the MON_GETLIST feature in NTP servers, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists are a classic set-and-forget feature and are vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

Attackers are able to query NTP servers for traffic counts using the victim’s spoofed source address.

Attackers are able to query NTP servers for traffic counts using the victim’s spoofed source address. In return, the response is much larger than the original request, and with enough vulnerable NTP servers returning requests, a website and/or services are quickly overrun with traffic.

While the possibility exists, Sockrider said, for terabyte-per-second attacks, network and service provider managers have done a better job patching the wonky code in NTP servers than, say, open DNS resolvers. According to the Open Resolver Project, an initiative that tracks open DNS resolvers, more than 28 million were active on the Internet as of last October.

“The infrastructure is out there; abuseable servers are out there,” Sockrider said. “It’s been bad, but it could be worse. The Internet community at large has done a good job locking down NTP, more so than DNS.”

While some of these volumetric attacks are targeted against particular enterprises for any number of financial or ideological motivations, the effects are felt beyond the corporate network.

“When it comes to these volumetric attacks, it’s not about taking down a server, it’s about taking down an infrastructure,” Sockrider said. “Service providers (ISPs, data center, cloud companies, web hosts) have been dealing with volumetric attacks for some time. Because of that, they’ve put in a lot of infrastructure and mitigation capabilities to deal with these attacks.”

Attackers understand that service providers can likely mitigate a 100 Gbps attack for a client, so traffic levels are ramped up, forcing more infrastructure and more spending on mitigations.

“NTP attacks are going to be felt upstream because they are so large. That’s where traffic has to be dealt with,” Sockrider said. “For a example, a service running in a data center has 10 gig links to the Internet; upstream there is a service provider with 100 gig pipes and upstream from them there are lots of 100 gig links. A 400 Gbps attack overwhelms even upstream of the data center with Tier 2 and Tier 3 service providers. It has to be dealt with upstream of those with a Tier 1 provider with circuits big enough to deal with attack.”

The recent Verizon Data Breach Investigations Report also covered DDoS attacks, pointing out that cybercriminals are using botnets to overwhelm networks with traffic, possibly as a cover for intellecural property theft or financial fraud, something that was also covered recently by Incapsula.

“We’re seeing a growing trend of combining DDoS with APT campaigns,” Sockrider said. “Go back a few years, and DDOs was thought of more as a takedown mechanism, not for data exfiltration. Now we’re seeing it more frequently combined with APT, prolonged campaigns where an attacker is on your network and now need to get the data out, they’ll initiate a DDoS attack. It’s the equivalent of a natural disaster and while you’re dealing with it, that’s when they’ll exfiltrate data.”

Suggested articles