Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • Networking

    DDoS Attacks Abusing Network Timing Protocol Flood the Web

    By
    Sean Michael Kerner
    -
    January 16, 2014
    Share
    Facebook
    Twitter
    Linkedin
      DDoS

      Distributed denial-of-service (DDoS) attacks can take on many different forms, as those who commit them leverage different techniques to drown Websites under a flood of traffic. The United States Computer Emergency Readiness Team (US-CERT) is warning of an increased risk from DDoS attacks that leverage the Network Time Protocol (NTP) to amplify the attack volume.

      NTP is a widely deployed Internet protocol that is primarily used as a time-keeping technique for clock synchronization. Simply requesting the time from an NTP server is not, however, what attackers are using to execute DDoS attacks.

      Instead, attackers are abusing a feature in NTP that enables administrators to query an NTP server about connected clients and their traffic counts. The query is made via a “monlist” command.

      “This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim,” US-CERT warns. “Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim.”
      US-CERT also warns that since NTP traffic is typically considered legitimate, it can be difficult for administrators to block the attack.

      The monlist command is also at the root of a known vulnerability referred to as CVE-2013-5211, which has been patched in the latest release of NTP. US-CERT warns that all versions of the NTP prior to version 4.2.7 are at risk

      Amplification attacks have become much more well-known and observed throughout service provider and enterprise networks in the last 12 to 18 months, Paul Scanlon, principal product line manager at Juniper Networks, told eWEEK.

      In March 2013 one of the largest DDoS attacks ever recorded leveraged a Domain Name System (DNS) amplification technique to hit Spamhaus with 300G bps of traffic.

      “The expansion of the amplification attack technique from DNS servers to include NTP servers is a dangerous behavior exhibited by attackers as they continue to realize that critical services using UDP designed to provide fundamental services to Internet infrastructure must be openly available and can be abused as a means to intensify attacks,” Scanlon said. “Fundamentally, the attack is exhibiting the abuse of services leveraging UDP as a transport protocol that does not require an established connection between client and server.”

      NTP reflection/amplification attacks have been seen in the wild for the last six or seven years, Roland Dobbins, senior ASERT (Arbor Security Engineering and Response Team) analyst at Arbor Networks, told eWEEK.

      “This technique has been used recently in high-profile attacks on gaming networks, attacks that have affected a substantial consumer base of these gaming networks; so it’s been receiving attention in the industry space, that’s the main difference,” Dobbins said. “But network operational security specialists have been dealing with these attacks for quite some time.”

      DDos Attacks Abusing Network Timing Protocol Flood the Web

      Best Practices

      In addition to making sure the organization is running the latest patched version of NTP, several steps can be taken to limit the risks of NTP-driven DDoS.

      Every organization with systems participating in NTP, DNS and any other service that uses UDP as its communication model must implement simple administrative techniques to reduce the possibility that attackers looking for points of reflection can abuse these services, Scanlon said.

      Hardening the services is only one key step in preparing for these types of threats, Scanlon said. “Ultimately, if an organization has mission-critical services exposed to the Internet, dedicated solutions and practices should be implemented to defend against the ever-evolving threat of DDoS attacks,” he added.

      DDoS amplification attacks typically involve the attacker spoofing the target’s network address location. The responding DNS or NTP servers, in turn, are tricked into sending response traffic back to the legitimate IP address of the target. Dobbins suggests that anti-spoofing technologies such as unicast reverse-path forward (uRPF), Cable IP Source Verify, DHCP Snooping and even simple anti-spoofing access-control lists (ACLs) be deployed.

      Additionally, network operators should routinely scan their IP address space (and that of their customers) for insecurely configured services that can be abused by attackers, Dobbins said.
      “But anti-spoofing is the key to making all the various flavors of reflection/amplification attacks impossible for attackers to launch in the first place,” Dobbins said.

      DDoS Trends

      DDoS attacks continue to mount. In the fourth quarter, DDoS attacks rose 26 percent year-over-year, according to Prolexic’s latest Global DDoS Attack Report .

      “DDoS attacks are evolving from high-bandwidth volumetric attacks that bring down Web servers to highly sophisticated targeted attacks that threaten availability of critical business applications and resources,” Scanlon said. “DDoS volumetric flood attacks are still a problem for online businesses, but with the right defense in place, these attacks can be nullified.”

      The trend of attackers leveraging critical services such as NTP is disturbing and should raise awareness concerning the need to reduce attackers’ ability to spoof or forge machine IP addresses, Scanlon said. “The emerging trend of using critical services such as DNS and NTP should be yet another alarm bell that further investment and work must be done to continue to remove dark corners of the Internet that allow these threats to be disruptive,” he said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×