Do s & d dos attacks ntp amplification cyber threat prolexic slideshow


Published on | New DDoS toolkits that make it simple from malicious actors to generate high-bandwidth, high-volume DDoS attacks against online targets using the NTP amplification attack method.
Find out what you can do to protect your network and website from this DDoS attack vector in this short slide presentation from Prolexic.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Do s & d dos attacks ntp amplification cyber threat prolexic slideshow

  1. 1. NTP-AMP: DDoS Amplification Tactics Highlights from a Prolexic DDoS Threat Advisory
  2. 2. What is DDoS amplification? • Amplification makes a DDoS attack stronger • An attacker sends a small message to a third-party server, pretending to be the target • The server responds with a much larger message to the target • Repeated requests result in a denial of service attack – The flood of unwanted traffic keeps the target site too busy, causing it to crash or respond too slowly to users
  3. 3. Why NTP amplification? • Network Time Protocol (NTP) is a common Internet protocol • Servers use NTP to synchronize computer clocks • Some versions of NTP are vulnerable to use in DDoS amplification attacks • Attackers create lists of vulnerable servers • A DDoS attack tool called NTP-AMP uses NTP and amplification lists to create massive denial of service attacks
  4. 4. NTP attacks: an emerging DDoS trend
  5. 5. Many industries have been targeted • Finance • Gaming • e-Commerce • Internet • Media • Education • Software-as-a-service (SaaS) • Security
  6. 6. How NTP-AMP works • monlist: IP addresses and statistics for the last 600 clients that have asked an NTP server for the time • The NTP-AMP tool asks an NTP server for its monlist, while pretending to be the target. • The NTP server sends its monlist to the target. • The monlist is big! – In a worse-case situation, a single 60-byte request packet could generate a 22,000-byte response • The attacker may use many NTP servers, but with this much amplification, fewer are needed
  7. 7. Don’t be a part of an attack: Configure your NTP servers properly • Got an NTP server? • Run a monlist query. • If you get a response like this one, it is imperative that you change the server configuration to disable this type of response.
  8. 8. If you are a target of an NTP attack • NTP-AMP is in active use in DDoS attack campaigns • Prolexic stops NTP-AMP attacks • The NTP-AMP Threat Advisory by the Prolexic Security Engineering and Response Team (PLXsert) explains how to mitigate NTP-AMP DDoS attacks – Target mitigation using ACL entries – NTP-AMP IDS Snort Rule against victim NTP server
  9. 9. Threat Advisory: NTP-AMP DDoS toolkit • Download the threat advisory, NTP-AMP: Amplification Tactics and Analysis • This DDoS threat advisory includes: – Indicators of the use of the NTP-AMP toolkit – Analysis of the source code – Use of monlist as the payload – The SNORT rule and target mitigation using ACL entries for attack targets – Mitigation instructions for vulnerable NTP servers – Statistics and payloads from two observed NTP amplification DDoS attack campaigns
  10. 10. About Prolexic (now part of Akamai) • Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and mitigation services • Prolexic has successfully stopped DDoS attacks for more than a decade • Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers