The Danger of the Latest NTP Attacks

Who would have imagined that Network Time Protocol (NTP) — such an innocuous protocol designed to synchronize the clock on your laptop, smartphone, tablet, and network infrastructure devices — would be abused to cause so much damage?  NTP reflection/amplification DDoS attacks are the current weaponized DDoS technique of choice for DDoS attacks, especially those 1 Gb/sec and larger – with some now exceeding 300 Gb/second.  Attacks of 100 Gb/second have become fairly common, as tools have armed slews of copycat attacks.  Even small DDoS attack volumes are able to impact availability and disrupt the performance of servers, applications, or services that are brittle, fragile and non-scalable.  Large attacks generate significant collateral damage en route to their target due to their extreme bandwidth consumption on ISP networks and at their various interchange points.

When did the NTP reflection/amplification attack craze start?

In October of 2013, a number of high-profile NTP reflection/amplification DDoS attacks were launched against online gaming services to disrupt high-profile professional gaming events, interfere with new product launches, and exact revenge from rival players.  This was noticed by tens of millions of gamers and was promptly reported by the technology media.  The Arbor Security Engineering and Response Team (ASERT) tracked NTP traffic attacks for over 6 months.

past few monthsNTP traffic from December 2013 through March 2014

As you can see from the above chart, prior to late December 2013, NTP traffic was almost non-existent. From December 2013 to March 2014, there has been a dramatic rise in NTP traffic.   In fact, much of this traffic is due to NTP reflection/amplification attacks.



As you can see above, NTP attacks as a percentage of all attacks from December 2013 through March 2014, by BPS (Bytes per Second) and PPS (Packets per Second).

Why is an NTP reflection/amplification attack so harmful?

It’s ubiquitous. NTP has been implemented in all major operating systems, network infrastructure and embedded devices. There are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet. Anti-spoofing deployment gaps exist at network edges. NTP has a high amplification ratio of approximately 1000x. Furthermore, attacks tools are readily available, making these attacks easy to execute. This equates to a significant risk for any potential target, which should not be taken lightly.


What can an organization do?

Organizations ranging from large ISPs to enterprises need to address this network-level risk with a network-scale approach.  Consider the following best practices to minimize damage and maximize network availability:

Ensure that you have anti-spoofing deployed at the edges of your networks to prevent spoofing.

Leverage flow telemetry exported from all network edges, such as Arbor’s Peakflow® SP(for public-facing and provider networks) or Arbor’s Pravail® Network Security Intelligence (for internal networks and botnet activity detection), to automatically detect, classify, traceback, and alert on DDoS attacks.

Deploy network infrastructure-based reaction/mitigation techniques such as Source-Based Remotely-Triggered Blackholing (S/RTBH) and flowspec at all network edges to mitigate attacks.

Deploy Intelligent DDoS Mitigation Systems, such as Arbor’s Peakflow Threat Management System, in mitigation centers located at topologically appropriate points within the ISP network to mitigate attacks and Arbor’s Pravail Availability Protection System, to protect critical infrastructure (DNS, NTP, etc.) and enterprise network connections.

Subscribe to a global ‘Clean Pipes’ DDoS mitigation service offered by your ISP/MSSP or the Arbor Cloud – DDoS Protection Service to provide an additional layer of protection in addition to on premise protection.

Deploy Quality-of-Service (QoS) mechanisms at all network edges to police non-timesync NTP traffic down to an appropriate level (e.g. rate limit  all 400-byte or larger UDP/123 traffic (source) down to 1mb/sec).

Proactively scan for and remediate abusable NTP services on the ISP and customer networks to reduce the number of abusable NTP servers.  Also, check for any abusable NTP servers that have been identified on your network or your customers’ networks.

To learn more about what your organization can do to detect and protect yourselves from NTP reflection and amplification DDoS attacks, click here to view Arbor’s webinar called: “Too Much Time On My Hands, Network-Scale Mitigation of Network Time Protocol (NTP) Reflection/Amplification DDoS Attacks” and/or contact your local Arbor representative.

  • Posted in DDoS, PM Pulse
  • Comments Off on The Danger of the Latest NTP Attacks