DDoS criminals plot massive NTP amplification attacks as next wave, vendors warns

Attacks surged in February, say Prolexic and Arbor Networks

Last month's huge Network Time Protocol (NTP) DDoS amplification attack on CloudFlare was part of a larger and sudden spike in such attacks, remediation vendors have warned.

According to Akamai's Prolexic division, between January and February of this year, NTP-based attacks rose 371 percent, with a more than 800 percent increase in the average peak attack volume deployed.

These figures back up an Arbor Networks Atlas analysis published last week which showed NTP/UDP DDoS at 400Gbps on most days in February, a level of traffic that had only waned slightly to around 300Gbps since then. On one day, 4 March, the firm recorded a peak of 800Gbps. For comparison, the daily traffic levels for this protocol in December were where they had been for 2013 as a whole; around 1-2Gbps.

"During the month of February, we saw the use of NTP amplification attacks surge 371 percent against our client base," said Prolexic's Stuart Scholly. "In fact, the largest attacks we've seen on our network this year have all been NTP amplification attacks."

The sudden interest in NTP seems to have been spurred by the February's CloudFlare incident in which a world record 400Gbps DDoS was directed at the French hosting provider OVH and its customers. This demonstrated the efficiency of summoning up vast amounts of traffic from a relatively small number of vulnerable NTP servers, numbering only 4,529 according to CloudFlare.

The ease with which attackers could get hold of automated tools was playing into this, said Prolexic.

The firm's researchers carried out lab simulation of the capabilities of a single Perl-based scripting tool designed to manipulate the NTP 'Monlist' command that queries that last 600 servers that connected to a host. It was this well-documented weakness that the CloudFlare attack manipulated so powerfully.

Despite some limitations (it only works from a Linux client for example), the tool would have generated 366Gbps of response traffic in the worst case scenario.

"These amplification numbers may be possible in a perfect storm scenario. In real-world environments NTP monlist responses vary wildly in size, which will affect the total attack bandwidth directed to the primary target," concluded Prolexic's researchers.

"However, it is not beyond the capability of two servers, run by a malicious actor, to easily generate more than 100Gbps of amplified reflection traffic using this attack method. With the use of NTP scanners, malicious actors could refine their NTP lists to include only servers that respond with the maximum response size."

The company had also observed two real-world NTP reflection attacks in February (one of which was on Prolexic itself) using similar tools that each quite easily drummed up over 100Gbps of traffic.

What seems to be happening is that NTP attacks are becoming not only larger but more mainstream. An interesting trend noticed by Prolexic is that NTP is now being wielded against a range of sectors, including finance, gaming, e-Commerce, Internet and telecom, media, education, software-as-a-service (SaaS) providers and security.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksConfiguration / maintenancesecurityhardware systemsProlexicCloudFlareData CentreNTP

More about Akamai TechnologiesArbor NetworksArbor NetworksLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts