Who would have imagined that Network Time Protocol (NTP) - such an innocuous protocol designed to synchronize the clock on a laptop, smartphone, tablet, and network infrastructure devices -- would be abused to cause so much damage? NTP reflection/amplification DDoS attacks are the current weaponized DDoS technique of choice for DDoS attacks.
The NTP protocol, which dates back to the 1980’s, has been abused for years as it has
been utilized for NTP reflection/amplification attacks. What changed is that the gaming
attacks in October 2013 popularized how NTP can be abused and utilized in a DDoS attack. A number of high-profile NTP reflection/ amplification DDoS attacks were launched against online gaming services to disrupt high-profile professional gaming events, interfere with new product launches, and exact revenge from rival players. This, in turn, led to a quick escalation in attack sizes, due to the large amplification ratio of NTP, approximately 1,000:1. This evolution of NTP in DDoS attacks has established a new ‘normal’ as 100 Gbps attacks have become relatively common, and attacks of 300+ Gbps have been recorded. In February of 2014 alone, there were over 43 separate 100+ Gbps attacks globally. Even small DDoS attack volumes are able to impact availability and disrupt the performance of servers, applications, or services that are brittle, fragile and non-scalable. Large attacks generate significant collateral damage en route to their target due to their extreme bandwidth consumption on ISP networks and at their various interchange points.
What is a NTP Reflection/Amplification Attack and why is it so dangerous?
An amplification DDoS attack is when an attacker makes a relatively small request that generates a larger response/reply, which is true of most server responses. A reflection DDoS attack is when forged requests are sent to a very large number of Internet connected devices that reply to the requests that use IP address spoofing, where the ‘source’ address is set to the IP address of the actual target of the attack, where all replies are sent. A reflection/amplification DDoS attack combines both techniques for a DDoS attack which is both high-volume and difficult to trace back to its point(s) of origin.
A NTP attack has been implemented in all major operating systems, network infrastructure and embedded devices. There are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet. Anti-spoofing deployment gaps exist at network edges. NTP has a high amplification ratio of approximately 1,000x. Furthermore, attacks tools are readily available, making these attacks easy to execute. This equates to a significant risk for any potential target, which should not be taken lightly.
Best Practices to Protect Network Availability
Organizations from large ISPs to enterprises need to address this network-level risk with a network-scale approach. Consider the following best practices to help minimize damage and maximize network’s readiness: