NTP DDoS: The New Threat

Network Time Protocol (NTP) attacks are bursting onto the DDoS scene. Hackers patterns in the early days of 2014 show us that NTP DDoS attacks are in vogue - are you ready to protect your website?

What is NTP?

As the name suggests, NTP is a networking protocol designed to synchronize time between connected machines. Computers, smartphones, tablets, regardless of their OS, use NTP to make sure everyone’s clock is lined up.

How is NTP Abused?

Recently hackers have come across an exploitable quirk in NTP, and they are using it to bring down networks of all sizes. NTP DDoS takes advantage of an antiquated command in the protocol called ‘monlist’ which requests the previous 600 IPs that communicated with the target server. Normally, the NTP target server can reply to this relatively infrequent request without any problem. However, hackers have figured out that by using botnets to send millions of these monlist requests at once, they can easily bring down a target server.

If you have some experience with DDoS, you might be saying to yourself, “this attack method sounds an awful lot like DNS amplification,” and you would be correct. DNS protocol DDoS can multiply their request from botnet to target by a factor of eight. But with the monlist command, the NTP amplification factor can reach over 600x (the ratio of data in the request to data in the response).

Record Broken

In February, several high profile companies were hit with NTP DDoS attacks that clocked in between 180 and 400 Gbps. The attacks were reported by several DDos protection services, including Cloudflare and Incapsula, which were able to mitigate the threat.

Courtesy of Incapsula DDoS mitigation services

The mitigation process relied on filtering out the spoofed IP addresses, ideally leaving human users unhindered. Unfortunately, it is difficult to track down the hackers responsible for these attacks because NTP uses UDP (a protocol that doesn’t require an established connection, such as with TCP) to communicate with other servers.

NTP DDoS is well-known and somewhat a primitive attack vector. Still, because it was rarely used, most online businesses are unaware of this hole in their security. Although DNS amplification DDoS is still the more popular choice for hackers, you must fix your NTP vulnerabilities to be secure.

So what can you do? To check if your server still runs the monlist command, check the Open NTP Project. If your IP is on this list, you need to upgrade your NTP server to 4.2.7p26 or later. This vulnerability was fixed in an update from 2010, so if you have an updated server, it is unlikely you will run into NTP issues.

Conclusion

Of all the established DDoS threats abound in the cyber landscape, NTP is not the worst in the bunch. But until it is dealt with, your NTP port will appear to hackers as the wounded gazelle in the herd - easy prey. Take the precautions to shore up your defenses. If you have a 3^rd party security company, ask one of their representatives to see if they offer NTP DDoS mitigation and if your website is vulnerable.