DDoS Attacks Abusing Network Timing Protocol Flood the Web

US-CERT warns of an increase in distributed denial-of-service attacks that leverage Network Timing Protocol.


Distributed denial-of-service (DDoS) attacks can take on many different forms, as those who commit them leverage different techniques to drown Websites under a flood of traffic. The United States Computer Emergency Readiness Team (US-CERT) is warning of an increased risk from DDoS attacks that leverage the Network Time Protocol (NTP) to amplify the attack volume.

NTP is a widely deployed Internet protocol that is primarily used as a time-keeping technique for clock synchronization. Simply requesting the time from an NTP server is not, however, what attackers are using to execute DDoS attacks.

Instead, attackers are abusing a feature in NTP that enables administrators to query an NTP server about connected clients and their traffic counts. The query is made via a "monlist" command.

"This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim," US-CERT warns. "Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim."
US-CERT also warns that since NTP traffic is typically considered legitimate, it can be difficult for administrators to block the attack.

The monlist command is also at the root of a known vulnerability referred to as CVE-2013-5211, which has been patched in the latest release of NTP. US-CERT warns that all versions of the NTP prior to version 4.2.7 are at risk

Amplification attacks have become much more well-known and observed throughout service provider and enterprise networks in the last 12 to 18 months, Paul Scanlon, principal product line manager at Juniper Networks, told eWEEK.

In March 2013 one of the largest DDoS attacks ever recorded leveraged a Domain Name System (DNS) amplification technique to hit Spamhaus with 300G bps of traffic.

"The expansion of the amplification attack technique from DNS servers to include NTP servers is a dangerous behavior exhibited by attackers as they continue to realize that critical services using UDP designed to provide fundamental services to Internet infrastructure must be openly available and can be abused as a means to intensify attacks," Scanlon said. "Fundamentally, the attack is exhibiting the abuse of services leveraging UDP as a transport protocol that does not require an established connection between client and server."

NTP reflection/amplification attacks have been seen in the wild for the last six or seven years, Roland Dobbins, senior ASERT (Arbor Security Engineering and Response Team) analyst at Arbor Networks, told eWEEK.

"This technique has been used recently in high-profile attacks on gaming networks, attacks that have affected a substantial consumer base of these gaming networks; so it's been receiving attention in the industry space, that's the main difference," Dobbins said. "But network operational security specialists have been dealing with these attacks for quite some time."

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.