Although Network Time Protocol (NTP) reflection/amplification attacks have been observed in the wild for many years, they have received an uptick in popularity due to recent high-profile attacks, first in late December 2013 on gaming networks, and again this week in Europe.
Arbor is able to confirm that our ATLAS system monitored an attack on Monday, February 10 targeting a destination in France, peaking at 325 Gbps. Since then, ATLAS has observed no less than 4 more attacks exceeding 100 Gbps since then, targeting destinations in France including a 266 Gbps attack on February 13.
According to Arbor’s ninth Annual Worldwide Infrastructure Security Report (WISR), released last month, the size of attacks in 2013 eclipsed previous peaks by over 200 percent, with the largest reported attack at 309 Gbps, and with multiple respondents reporting attacks larger than 100 Gbps – the previous largest reported attack size.
Additionally, in 2013 ATLAS observed more than 8x the number of attacks over 20 Gbps tracked as compared to 2012.
This post uses the denial of service attacks recently launched against the gaming industry as a case study in NTP-based amplification/reflection attacks. It provides some insight into the motivation and actors behind these attacks, provides attack details, and explains how you can mitigate these types of attacks to protect your own infrastructure and services. As we’ve already seen, once a group of threat actors finds value in an attack technique, additional attacks utilizing the same technique are likely to follow.
An NTP-based Amplification Attack Campaign
Beginning in late December 2013, a series of NTP reflection/amplification DDoS attacks was launched against multiple online gaming services, causing widespread outages. At least some of the attacks were purportedly launched by the group DERP (@DerpTrolling on Twitter), and took down numerous popular gaming servers and even North Korea’s state run news agency (kcna.kp).  At its peak, these attacks generated as much as 100 Gbps of malicious traffic to targeted gaming servers.
The network gaming world is highly subject to DDoS attacks caused by warring gaming clans and disgruntled gamers looking for advantage, as well as the online equivalent of simple vandalism. In this particular instance, someone claiming to represent DERP stated via Twitter that the group were monitoring the progress of popular gamer PhantomL0rd, attacking the servers and supporting infrastructure infrastructure for every online game match he was not winning. To further the attacks, @DerpTrolling also solicited attack targets by providing a telephone number to receive suggestions. Additionally, the uproar and publicity generated by DERP most likely influenced other copycat attackers to launch simultaneous campaigns. Twitter users @chFtheCat and @LARCENY_, for instance, claimed credit for taking down digital gaming service Steam.
According to PhantomL0rd, the online games he was playing were likely targeted because he was the top Twitch streamer online at the time. In addition to attackers targeting gaming servers, PhantomL0rd’s address and details were posted online, and he was reportedly a victim of a fake emergency hostage call using his address, resulting in his detainment by police (this practice is known as ‘SWATting’, as SWAT-type law enforcement teams typically respond to calls related to possible hostage situations). Some members of the group DERP then allegedly targeted popular news aggregation site Reddit when PhantomL0rd’s arrest was reported, causing disruption to the service.
The incidents were based around a UDP-based reflection/amplification DDoS attack via the Network Time Protocol (NTP) on UDP port 123. NTP is a UDP-based protocol used to synchronize clocks over a computer network. Any UDP-based service including DNS, SNMP, NTP, chargen, and RADIUS is a potential vector for DDoS attacks because the protocol is connectionless and source IP addresses can be spoofed by attackers who have control of compromised or ‘botted’ hosts residing on networks which have not implemented basic anti-spoofing measures. Historically, DNS, SNMP, chargen, and NTP have proven to be popular services abused to launch reflection/amplification DDoS attacks; various types of gaming servers such as Quake 3 servers have been abused in this manner, as well.
Recently, NTP reflection/amplification DDoS attacks as seen in the DERP campaign have increased in popularity, as NTP is another easy-to-use, spoofable UDP-based protocol similar to DNS; there is a floating population of ~7 million insecurely-configured NTP servers on the Internet, including services embedded in routers, layer-3 switches, and consumer broadband CPE devices which have been shipped by vendors with insecure default NTP service configurations enabled on their public-facing interfaces. In addition to NTP-based attack capabilities being readily accessible through online “booter” and “stresser” DDoS-for-hire services for a nominal fee, NTP-amplification attack scripts are available on underground forums. These factors allow relatively low-skilled threat actors to launch NTP reflection/amplification DDoS attacks.
One such script was leaked in October 2013 leveraging vulnerable, insecurely configured NTP servers via the NTP monlist command, the same command targeted in the DERP campaign.  ASERT analysis of an NTP-amplification Perl script shows that the payload sent in the NTP packets is a single “*” character.
The IP addresses of the intended target are spoofed by the attackers, who cause bogus NTP queries to be transmitted to the misconfigured NTP servers in question, and a user-selected source port is used in all packets.
The following graphs demonstrate the NTP activity during the online gaming DDoS attacks as observed by ASERT:
Figure 1: UDP-based NTP traffic during December 2013 – January 2014
Figure 2: UDP-based NTP traffic throughout 2013
In general, anti-spoofing technologies deployed at customer aggregation edges and/or access edges of wireline and wireless broadband access networks, hosting/co-location Internet data center networks, and enterprise networks would prevent attackers from launching spoofed attacks of any kind, including NTP reflection/amplification attacks, DNS reflection/amplification attacks, SNMP reflection/amplification attacks, chargen reflection/amplification attacks, and more. Such anti-spoofing technologies include unicast reverse-path forward (uRPF), Cable IP Source Verify, DHCP Snooping, simple anti-spoofing access-control lists (ACLs), and more.
Vendors/developers of operating systems, network infrastructure devices such as routers and switches, vendors of home CPE broadband devices, etc. should ship their devices with secure defaults. Secure defaults include not running services such as NTP servers and DNS recursors by default, and ensuring that the default configuration of these services do not lend themselves to abuse – for instance, don’t allow level-6/-7 commands such as monlist by default on NTP servers from the global Internet, prevent any embedded or enabled DNS recursive servers from being accessed as open recursors, etc. Note that while the most prevalent NTP reflection/amplification attack variant observed in these attacks used the NTP monlist command, other attacks have been observed using the sysstats, peers, listpeers and showpeer commands.
Network operators, including the various categories of ISPs as well as enterprise network operators, should routinely scan their IP address space for insecurely configured services that can be abused by attackers, and then work to notify the operators of such services and remediate them.
Targeted organizations should enforce situationally-appropriate network access control policies via the deployment of suitable access-control lists (ACLs) in hardware-based routers/layer-3 switches on their public-facing transit network edges. This mechanism should prevent attack traffic generated by NTP reflection/amplification attacks from reaching targeted servers; however, the high volumes which can be generated by these attacks can saturate transit links, requiring upstream mitigation by Internet Service Providers (ISPs) and/or Managed Security Service Providers (MSSPs) with ‘Clean Pipes’ DDoS defense capabilities.
The OpenNTPProject provides information and tools to scan network servers in order to determine if there are any NTP servers that can be abused.  CERT has also published a notification on the monlist vulnerability in NTP servers with additional solutions. 
Author’s note: Special thanks to Alison Goodrich, Curt Wilson and Darren Anstee who contributed to the research within this blog post.