Who would have imagined that network time protocol (NTP) — such an innocuous protocol designed to synchronise the clock on a laptop, smartphone, tablet, and network infrastructure devices — would be abused to cause so much damage?
But NTP reflection/amplification DDoS attacks are the current weaponised DDoS technique of choice for DDoS attacks.
The NTP protocol, which dates back to the 1980s, has been abused for years as it has been utilised for NTP reflection/amplification attacks. What changed is that the gaming attacks in
This evolution of NTP in DDoS attacks has established a new 'normal' as 100 Gbps attacks have become relatively common, but attacks of 300-plus Gbps have also been recorded. In February of 2014 alone, there were over 43 separate 100-plus Gbps attacks globally. Even small DDoS attack volumes are able to impact availability and disrupt the performance of servers, applications, or services that are brittle, fragile and non-scalable. Large attacks generate significant collateral damage en route to their target due to their extreme bandwidth consumption on ISP networks and at their various interchange points.
What is an NTP reflection/amplification attack and why is it so dangerous?
An amplification DDoS attack is when an attacker makes a relatively small request that generates a larger response/reply, which is true of most server responses. A reflection DDoS attack is when forged requests are sent to a very large number of Internet-connected devices that reply to the requests that use IP address spoofing, where the 'source' address is set to the IP address of the actual target of the attack, where all replies are sent. A reflection/amplification DDoS attack combines both techniques for a DDoS attack, which is both high-volume and difficult to trace back to its point(s) of origin.
An NTP attack has been implemented in all major operating systems, network infrastructure and embedded devices. There are over 100,000 abusable NTP servers with administrative functions incorrectly open to the general Internet. Anti-spoofing deployment gaps exist at network edges. NTP has a high amplification ratio of approximately 1,000 times. Furthermore, attack tools are readily available, making these attacks easy to execute. This equates to a significant risk for any potential target, which should not be taken lightly.
As a result, organisations from large ISPs to enterprises need to address this network-level risk with a network-scale approach.
Most Popular Stories
- Concur Sold to SAP for $8.3B
- Federal Probe Finds Christie Did Not Order 'Bridgegate'
- Five Steps to Protect Yourself from Data Breaches
- 10 Things to Know About Alibaba
- Intruder Gets into White House
- Chrysler Recalls Nearly 189,000 SUVs
- HCL America Adding 1,200 IT Jobs
- Medical Mfg. Jobs Coming to Dayton
- Longtime Unemployed to Get Help in Las Vegas
- Michael Jackson, Freddie Mercury on Previously Unreleased Queen Cut