2. www.prolexic.com
What is DDoS amplification?
• Amplification makes a DDoS attack stronger
• An attacker sends a small message to a third-party
server, pretending to be the target
• The server responds with a much larger message
to the target
• Repeated requests result in a denial of service
attack
– The flood of unwanted traffic keeps the target site too
busy, causing it to crash or respond too slowly to users
2
3. www.prolexic.com
Why NTP amplification?
• Network Time Protocol (NTP) is a common Internet
protocol
• Servers use NTP to synchronize computer clocks
• Some versions of NTP are vulnerable to use in
DDoS amplification attacks
• Attackers create lists of vulnerable servers
• A DDoS attack tool called NTP-AMP uses NTP and
amplification lists to create massive denial of
service attacks
3
4. www.prolexic.com
NTP attacks: an emerging DDoS trend
371%
217%
807%
0%
100%
200%
300%
400%
500%
600%
700%
800%
900%
Number of Attacks Ave. Peak Bandwidth Ave. Peak Packets Per
Second (pps)
Percent Increase in NTP Amplification Attacks
February 2014 vs January 2014
4
5. www.prolexic.com
Many industries have been targeted
• Finance
• Gaming
• e-Commerce
• Internet
• Media
• Education
• Software-as-a-service (SaaS)
• Security
5
6. www.prolexic.com
How NTP-AMP works
• monlist: IP addresses and statistics for the last 600
clients that have asked an NTP server for the time
• The NTP-AMP tool asks an NTP server for its
monlist, while pretending to be the target.
• The NTP server sends its monlist to the target.
• The monlist is big!
– In a worse-case situation, a single 60-byte request
packet could generate a 22,000-byte response
• The attacker may use many NTP servers, but with this
much amplification, fewer are needed
6
7. www.prolexic.com
Don’t be a part of an attack: Configure your
NTP servers properly
7
• Got an NTP
server?
• Run a monlist
query.
• If you get a
response like
this one, it is
imperative that
you change the
server
configuration to
disable this type
of response.
8. www.prolexic.com
If you are a target of an NTP attack
• NTP-AMP is in active use in DDoS attack campaigns
• Prolexic stops NTP-AMP attacks
• The NTP-AMP Threat Advisory by the Prolexic
Security Engineering and Response Team (PLXsert)
explains how to mitigate NTP-AMP DDoS attacks
– Target mitigation using ACL entries
– NTP-AMP IDS Snort Rule against victim NTP server
8
9. www.prolexic.com
Threat Advisory: NTP-AMP DDoS toolkit
• Download the threat advisory, NTP-AMP:
Amplification Tactics and Analysis
• This DDoS threat advisory includes:
– Indicators of the use of the NTP-AMP toolkit
– Analysis of the source code
– Use of monlist as the payload
– The SNORT rule and target mitigation using ACL entries
for attack targets
– Mitigation instructions for vulnerable NTP servers
– Statistics and payloads from two observed NTP
amplification DDoS attack campaigns
9
10. www.prolexic.com
About Prolexic (now part of Akamai)
• Prolexic Technologies is the world’s largest and
most trusted provider of DDoS protection and
mitigation services
• Prolexic has successfully stopped DDoS attacks for
more than a decade
• Our global DDoS mitigation network and 24/7
security operations center (SOC) can stop even the
largest attacks that exceed the capabilities of other
DDoS mitigation service providers
10