DDoS criminals plot massive NTP amplification attacks as next wave, vendors warns

Attacks surged in February, say Prolexic and Arbor Networks

Last month's huge Network Time Protocol (NTP) DDoS amplification attack on CloudFlare was part of a larger and sudden spike in such attacks, remediation vendors have warned.

According to Akamai's Prolexic division, between January and February of this year, NTP-based attacks rose 371 percent, with a more than 800 percent increase in the average peak attack volume deployed.

These figures back up an Arbor Networks Atlas analysis published last week which showed NTP/UDP DDoS at 400Gbps on most days in February, a level of traffic that had only waned slightly to around 300Gbps since then. On one day, 4 March, the firm recorded a peak of 800Gbps. For comparison, the daily traffic levels for this protocol in December were where they had been for 2013 as a whole; around 1-2Gbps.

"During the month of February, we saw the use of NTP amplification attacks surge 371 percent against our client base," said Prolexic's Stuart Scholly. "In fact, the largest attacks we've seen on our network this year have all been NTP amplification attacks."

The sudden interest in NTP seems to have been spurred by the February's CloudFlare incident in which a world record 400Gbps DDoS was directed at the French hosting provider OVH and its customers. This demonstrated the efficiency of summoning up vast amounts of traffic from a relatively small number of vulnerable NTP servers, numbering only 4,529 according to CloudFlare.

The ease with which attackers could get hold of automated tools was playing into this, said Prolexic.

The firm's researchers carried out lab simulation of the capabilities of a single Perl-based scripting tool designed to manipulate the NTP 'Monlist' command that queries that last 600 servers that connected to a host. It was this well-documented weakness that the CloudFlare attack manipulated so powerfully.

Despite some limitations (it only works from a Linux client for example), the tool would have generated 366Gbps of response traffic in the worst case scenario.

"These amplification numbers may be possible in a perfect storm scenario. In real-world environments NTP monlist responses vary wildly in size, which will affect the total attack bandwidth directed to the primary target," concluded Prolexic's researchers.

"However, it is not beyond the capability of two servers, run by a malicious actor, to easily generate more than 100Gbps of amplified reflection traffic using this attack method. With the use of NTP scanners, malicious actors could refine their NTP lists to include only servers that respond with the maximum response size."

The company had also observed two real-world NTP reflection attacks in February (one of which was on Prolexic itself) using similar tools that each quite easily drummed up over 100Gbps of traffic.

What seems to be happening is that NTP attacks are becoming not only larger but more mainstream. An interesting trend noticed by Prolexic is that NTP is now being wielded against a range of sectors, including finance, gaming, e-Commerce, Internet and telecom, media, education, software-as-a-service (SaaS) providers and security.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksConfiguration / maintenancesecurityhardware systemsProlexicCloudFlareData CentreNTP

More about Akamai TechnologiesArbor NetworksArbor NetworksLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

More videos

Blog Posts