NTP reflection attacks hit record high

Distributed denial of service attacks that take advantage of misconfigured NTP servers were up 276 percent last quarter compared to the same time last year, reaching a new record high, according to a new report

Distributed denial of service attacks that take advantage of misconfigured NTP servers were up 276 percent last quarter compared to the same time last year, reaching a new record high, according to a new report.

Part of the reason for the increase is economics, said report editor Martin McKeay, security advocate at Akamai Technologies.

In an NTP reflection campaign, the attacker sends a short message to an NTP server, and the NTP server replies with a significantly longer message. But instead of going back to the attacker, the response is addressed to the victim of the attack.

This allows the attacker to significantly magnify the amount of traffic hitting the victim all at once.

NTP attacks accounted for more than 15 percent of all attacks in the second quarter of this year. In two-thirds of those attacks, the NTP vector was the only one used.

DDoS attacks are increasingly being provided as a service, and NTP attacks are a better fit.

"It's cheaper for bad guys to use a single-vector NTP attach than using all their guns," McKeay said. "And the people paying for it don't necessarily understand all the bells and whistles that they're buying, so they're perfectly happy getting one type of attack."

In fact, 51 percent of DDoS attacks were single-vector attacks last quarter, compared to 41 percent in the first quarter of the year.

"Previously, there would be all sorts of protocols being mixed together," McKeay said.

Meanwhile, any one NTP server is used only for a small number of messages.

"You don't realize you're being used," he said. "NTP is far down the list for most administrators."

Hunting down individual misconfigured NTP servers is also not particularly practical for network carriers, he added.

"It costs money to differentiate between malicious and non-malicious traffic, he said. "For most carriers it's easier to just let things go than to harass someone to fix that problem."

One result of the shift to single-vector attacks is that the the median size of attacks has gone down by 36 percent from the previous quarter.

"We've never seen that before," said McKeay. "We almost always have ups. At first, we thought that some of our own instrumentation might be a problem."

The total number of attacks has continued to rise, however, with a 129 percent increase in total DDoS attacks compared to the same time period last year.

The gaming industry continued to be the most targeted, accounting for 57 percent of all DDoS attacks handled by Akamai last quarter. Software and technology companies were next with 26 percent of attacks, followed by financial services at 5 percent and media and entertainment at 4 percent.

Some gaming organizations see more than 300 attacks per quarter, according to Akamai, where even small attacks can negatively affect game server performance and give some players and advantage over others.

Join the CSO newsletter!

Error: Please check your email address.

More about Akamai TechnologiesCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place