Who would have imagined that Network Time Protocol (NTP) – such an innocuous protocol designed to synchronize the clock on a laptop, smartphone, tablet, and network infrastructure devices — would be abused to cause so much damage? NTP reflection/amplification DDoS attacks are the current weaponized DDoS technique of choice for DDoS attacks.
The NTP protocol, which dates back to the 1980’s, has been abused for years as it has been utilized for NTP reflection/amplification attacks. What changed is that the gaming attacks in October 2013 popularized how NTP can be abused and utilized in a DDoS attack. A number of high-profile NTP reflection/ amplification DDoS attacks were launched against online gaming services to disrupt high-profile professional gaming events, interfere with new product launches and exact revenge from rival players. This, in turn, led to a quick escalation in attack sizes, due to the large amplification ratio of NTP, approximately 1,000:1. This evolution of NTP in DDoS attacks has established a new ‘normal’ as 100 Gbps attacks have become relatively common, and attacks of 300+ Gbps have been recorded. In February of 2014 alone, there were over 43 separate 100+ Gbps attacks globally. Even small DDoS attack volumes are able to impact availability and disrupt the performance of servers, applications, or services that are brittle, fragile and non-scalable. Large attacks generate significant collateral damage en route to their target due to their extreme bandwidth consumption on ISP networks and at their various interchange points.
What is a NTP Reflection/Amplification Attack and why is it so dangerous?
An amplification DDoS attack is when an attacker makes a relatively small request that generates a larger response/reply, which is true of most server responses. A reflection DDoS attack is when forged requests are sent to a very large number of Internet connected devices that reply to the requests that use IP address spoofing, where the ‘source’ address is set to the IP address of the actual target of the attack, where all replies are sent. A reflection/amplification DDoS attack combines both techniques for a DDoS attack which is both high-volume and difficult to trace back to its point(s) of origin.
A NTP attack has been implemented in all major operating systems, network infrastructure and embedded devices. There are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet. Anti-spoofing deployment gaps exist at network edges. NTP has a high amplification ratio of approximately 1,000x. Furthermore, attacks tools are readily available, making these attacks easy to execute. This equates to a significant risk for any potential target, which should not be taken lightly.
Best Practices to Protect Network Availability
Organizations from large ISPs to enterprises need to address this network-level risk with a network-scale approach. Consider the following best practices to help minimize damage and maximize network’s readiness:
- Prevent Abuse: Ensure that anti-spoofing is deployed at the edges of the networks.
- Detect Attacks: Leverage flow telemetry exported from all network edges to automatically detect, classify, traceback and alert on DDoS attacks.
- Ready Mitigation Techniques: Deploy network infrastructure-based reaction/ mitigation techniques such as Source-Based Remotely-Triggered Blackholing (S/RTBH) and flowspec at all network edges to mitigate attacks.
- Mitigate Attacks: Deploy Intelligent DDoS Mitigation Systems in mitigation centers located at topologically appropriate points within the ISP network to mitigate attacks. Subscribe to a global ‘Clean Pipes’ DDoS mitigation service offered by your ISP/ MSSP
- Minimize Damage: Deploy Quality-of-Service (QoS) mechanisms at all network edges to police non-timesync NTP traffic down to an appropriate level (e.g. rate limit all 400-byte or larger UDP/123 traffic (source) down to 1mb/sec).
- Remediate NTP Services: Proactively scan for and remediate abusable NTP services on the ISP and customer networks to reduce the number of abusable NTP servers. Also, check www.openntpproject.org for any abusable NTP servers that have been identified on your network or your customers’ networks