Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NTP-AMP DDoS Attacks: A Cyber Security Threat | Prolexic


Published on | Fueled by the availability of new Network Time Protocol (NTP) amplification DDoS toolkits that make it simple for malicious actors to generate high-bandwidth, high-volume DDoS attacks against online targets, the NTP amplification attack method has surged in popularity, making it one of the most popular DDoS attack types in 2014, as reported by Prolexic. Learn more about this security threat in these excerpts from the Prolexic NTP Amplification DDoS Attack Threat Advisory.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

NTP-AMP DDoS Attacks: A Cyber Security Threat | Prolexic

  1. 1.       1     NTP-­‐AMP  DDoS  Attacks:  A  Cyber  Security  Threat   Selected  excerpts     The  Security  Engineering  and  Response  Team  (PLXsert)  at  Prolexic  (now  part  of  Akamai)  recently   published  a  Distributed  Denial  of  Service  (DDoS)  Threat  Advisory  about  a  serious  up-­‐and-­‐coming   cyber  security  threat:  NTP  amplification  attacks.  The  NTP-­‐AMP  DDoS  threat  advisory  describes  the   cyber-­‐attack  and  shares  a  Snort  rule  and  DDoS  defense  instructions  for  attack  mitigation  by  the   target  and  best  practices  for  NTP  server  administration.     Fueled  by  the  availability  of  new  Network  Time  Protocol  (NTP)  amplification  DDoS  toolkits  that   make  it  simple  for  malicious  actors  to  generate  high-­‐bandwidth,  high-­‐volume  DDoS  attacks  against   online  targets,  the  NTP  amplification  attack  method  has  surged  in  popularity,  making  it  one  of  the   most  popular  DDoS  attack  types  in  2014,  as  reported  by  Prolexic.     With  only  a  handful  of  vulnerable  NTP  servers,  the  current  batch  of  NTP  amplification  attack   toolkits  enable  malicious  actors  to  launch  100  Gbps  attacks  –  or  larger.  The  most  recent  toolkit   uses  an  NTP  server’s  own  list  of  recent  server  connections  –  as  many  as  600  IP  addresses  –  as  the   payload  to  create  malicious  traffic  at  the  target  site.     What  makes  the  NTP-­‐AMP  attack  so  powerful?     The  NTP  protocol  has  a  few  methods  that  can  be  exploited  to  launch  a  DDoS  amplification  attack.   One  of  the  more  common  methods  observed  recently  is  the  monlist  request.  Monlist  is  a  feature   within  the  NTP  protocol  that  lists  the  address  of,  and  statistics  about,  the  last  600  clients  that  have   connected  to  a  server  for  NTP  time  service.  The  abuse  of  the  monlist  request  is  not  new  but  has   definitely  hit  a  trending  status.     The  amplification  is  dramatic.  If  every  request  received  a  response  and  every  server  responded   with  the  maximum  amount  of  traffic,  1  Gbps  of  request  traffic  would  yield  366  Gbps  of  response   traffic  destined  for  the  primary  target.  In  real-­‐world  environments  NTP  monlist  responses  vary   wildly  in  size,  which  will  affect  the  total  attack  bandwidth  directed  to  the  primary  target.       With  such  significant  amplification,  malicious  actors  can  produce  harmful  attacks  using  only  a  few   systems.  With  the  use  of  NTP  scanners,  malicious  actors  could  refine  their  NTP  lists  to  include  only   servers  that  respond  with  the  maximum  response  size  and  two  NTP  servers  could  easily  generate   more  than  100  Gbps  of  amplified  reflection  traffic.       As  with  all  DrDoS  (Distributed  Reflected  Denial  of  Service)  flooding  tools,  raw  sockets  are  used  by  
  2. 2.       2   the  NTP-­‐AMP  DDoS  toolkit  to  craft  the  IP  and  UDP  headers  to  allow  IP  spoofing.  Elevated   privileges  are  required  for  the  use  of  raw  sockets  on  any  modern  operating  system.  Therefore,  the   execution  of  the  NTP  amplification  tools  requires  attackers  to  either  set  up  their  own  servers  or   compromise  a  server  and  elevate  privileges  in  order  to  make  the  operating  system  create  raw   socket  connections.       What  an  NTP-­‐AMP  attack  looks  like     Shown  below  in  Figure  1  is  a  sample  of  malicious  traffic  replicated  to  emulate  the  actual  NTP_AMP   DDoS  campaigns  Prolexic  mitigated  for  its  customers.     Figure  1:  Traffic  observed  by  the  primary  target  network  using  tcpdump   Get  the  full  NTP-­‐AMP  DDoS  threat  advisory  for  a  full  analysis  and  mitigation  techniques     In  the  threat  advisory,  PLXsert  shares  its  insight  into  NTP  Amplification  attacks:   • Indicators of the use of the NTP Amplification toolkit • Analysis of the source code • Use of monlist as the payload • The SNORT rule and target mitigation using ACL entries for attack targets • Mitigation instructions for vulnerable NTP servers • Statistics and payloads from two observed NTP Amplification DDoS attack campaigns About  Prolexic   Prolexic  Technologies  (now  part  of  Akamai)  is  the  world’s  largest  and  most  trusted  provider  of   DDoS  protection  and  mitigation  services.  Learn  more  at