Amplified DDoS Attacks Increasingly Use Network Time Service

Attackers abused a feature of the network time protocol to flood networks with hundreds of gigabits per second of data, a situation which is happening with increasing frequency, according to DOS mitigation firm Prolexic.

Massive distributed denial-of-service (DDoS) attacks have become more popular with cyber-criminals and hacktivists, especially those attacks that use a vulnerability in the network time protocol (NTP) to produce overwhelming floods of data, according to DDoS mitigation firm Prolexic.

In an advisory released on March 12, the company warned that attacks using vulnerable NTP servers have almost quadrupled in the last month. Such attacks can amplify the bandwidth of a simple NTP request by more than 300 times, producing a massive spike in traffic, according to an alert issued on March 12 by Prolexic, which was acquired last month by Internet-infrastructure firm Akamai.

While other types of amplification attacks exist, including those that use the domain name service (DNS) protocol, NTP amplification attacks are simple and deliver the largest spike in traffic and can be implemented simply. Attacks using NTP started appearing at the end of 2013 and dramatically accelerated this year.

"It is the convergence of what [is] old is new again with the evolution of DDoS-as-a-service," Stuart Scholly, general manager for security at Akamai Technologies, told eWEEK. "You can go to these service sites and pay nominal dollars as a nontechnical person and generate pretty substantial attack sizes."

By asking a NTP server for a list previous requesters and spoofing the source address of the request to point to the victim, an attacker could overwhelm a victim's network with a flood of data, according to the firms.

In January, Prolexic and Arbor Networks, another network security firm, warned companies that attackers had begun using a feature of the network time protocol to amplify denial-of-service attacks. In February, Internet-infrastructure firm CloudFlare reported that a massive attack topping 400 gigabits per second had hit a CloudFlare customer. Using an NTP function known as "monlist," attacker requests of slightly more than 1 gigabit per second to vulnerable servers could theoretically have created such an attack.

More likely, the amplification was not that great, Prolexic stated in its alert.

"In real-world environments, NTP monlist responses vary wildly in size, which will affect the total attack bandwidth directed to the primary target," Prolexic stated in its alert. "However, it is not beyond the capability of two servers, run by a malicious actor, to generate more than 100G bps of amplified reflection traffic using this attack method."

In addition to the growth in attacks, both the total bandwidth of attack traffic as well as the average peak volume increased dramatically in the past month, the company stated.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...