DDos Attacks Abusing Network Timing Protocol Flood the Web

By Sean Michael Kerner  |  Posted 2014-01-15 Print this article Print

Best Practices

In addition to making sure the organization is running the latest patched version of NTP, several steps can be taken to limit the risks of NTP-driven DDoS.

Every organization with systems participating in NTP, DNS and any other service that uses UDP as its communication model must implement simple administrative techniques to reduce the possibility that attackers looking for points of reflection can abuse these services, Scanlon said.

Hardening the services is only one key step in preparing for these types of threats, Scanlon said. "Ultimately, if an organization has mission-critical services exposed to the Internet, dedicated solutions and practices should be implemented to defend against the ever-evolving threat of DDoS attacks," he added.

DDoS amplification attacks typically involve the attacker spoofing the target's network address location. The responding DNS or NTP servers, in turn, are tricked into sending response traffic back to the legitimate IP address of the target. Dobbins suggests that anti-spoofing technologies such as unicast reverse-path forward (uRPF), Cable IP Source Verify, DHCP Snooping and even simple anti-spoofing access-control lists (ACLs) be deployed.

Additionally, network operators should routinely scan their IP address space (and that of their customers) for insecurely configured services that can be abused by attackers, Dobbins said.
"But anti-spoofing is the key to making all the various flavors of reflection/amplification attacks impossible for attackers to launch in the first place," Dobbins said.

DDoS Trends

DDoS attacks continue to mount. In the fourth quarter, DDoS attacks rose 26 percent year-over-year, according to Prolexic's latest Global DDoS Attack Report .

"DDoS attacks are evolving from high-bandwidth volumetric attacks that bring down Web servers to highly sophisticated targeted attacks that threaten availability of critical business applications and resources," Scanlon said. "DDoS volumetric flood attacks are still a problem for online businesses, but with the right defense in place, these attacks can be nullified."

The trend of attackers leveraging critical services such as NTP is disturbing and should raise awareness concerning the need to reduce attackers' ability to spoof or forge machine IP addresses, Scanlon said. "The emerging trend of using critical services such as DNS and NTP should be yet another alarm bell that further investment and work must be done to continue to remove dark corners of the Internet that allow these threats to be disruptive," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.






Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel