According to the Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT), there are increasing DRDoS (Distributed Reflection and amplification DDoS) attacks using Internet Service Providers' NTP (Network Time Protocol) servers. This very fact was backed by the Shadowserver Foundation which monitors the problem, and it reported the discovery of 4.7 million vulnerable NTP servers around the world.
The Q1 2014 Threat Report by Black Lotus, a pioneer of the first commercially viable DDoS mitigation solutions, also validates the assessment of US-CERT and the Shadowserver Foundation with a prediction that sees an increase of DrDoS attacks reaching in excess of 800 Gbps in the next 12 to 18 months.
The report covers DDoS attacks between January 1 and March 31, 2014 and it is based on a compilation of data from its network logs and analyzing the information to determine different characteristics of the attacks including size, duration, method, source and more. In this quarter the company stated service providers have been impacted by the security threats with SQL injection attacks, NTP DrDoS attacks, and most recently the TLS heartbeat vulnerability (“Heartbleed”), which has resulted in service providers being vulnerable to safely operate and protect their customers.
Some of the key metrics of the report include:
The largest DDoS attack observed was on February 10 with 421 Gbps and 122 millions of packets per second (Mpps)
Of the 463,621 observed attacks, Black Lotus regarded 90,313 (19.5 percent) of them as severe, characterized by an extreme traffic levels compared to the target’s typical traffic baseline
The average attack during the period reported was 2.7 Gbps and 1.8 Mpps
Tier 1 carriers in multiple U.S. regions were saturated due to DrDoS attacks, resulting in packet loss as high as 35 percent to customers that were not even targeted by the attacks
Individual applications were the target of 50.3 percent of the more severe attacks, most commonly HTTP servers and domain name services (DNS)
“Historically, service providers have been able to operate without providing substantial security services to customers. That’s no longer viable, as threats proliferate and attackers find new ways to amplify the volume of their efforts. To protect themselves and their customers, service providers must now also become security providers by offering integrated hosting and security services such as DDoS mitigation, intrusion defense, and incident response and remediation,” said Jeffrey Lyon, founder of Black Lotus.
Because DRDoS and DDoS attacks can bring down organizations and greatly disrupt the Internet, it is essential to implement a robust DDoS mitigation solution. Black Lotus warns organizations to be more aware of NTP DrDoS as attackers get more sophisticated, and attacks become more severe.