Risk of DDoS Amplification Attacks on NTP Servers Declines

NSFOCUS reports find that many administrators have patched vulnerable Network Time Protocol servers, though the risk of DDoS amplification attacks still remains.

malware hack

At the beginning of the year, the United States Computer Emergency Readiness Team (US-CERT) warned of the dangers of distributed denial-of-service (DDoS) attacks that were leveraging Network Time Protocol (NTP) servers to amplify attacks. Apparently, that warning did not fall on deaf ears, as most vulnerable NTP servers have been patched in the last six months, according to a new report from NSFOCUS.

In December 2013, NSFOCUS found that 432,120 NTP servers around the world could potentially be leveraged in a DDoS attack. In a new analysis released today and conducted during the month of May, NSFOCUS only found 17,647 unpatched servers.

NTP servers are widely deployed around the world and are primarily used as a time-keeping technology for server and network clock synchronization. In an NTP amplification attack, the attackers abuse a feature in NTP called monlist that is intended to provide administrators with information about connected clients and their traffic counts. That feature and the potential NTP abuse capability have been patched in versions of NTP 4.2.7 and later, which were released at the end of 2013.

Terence Chong, solutions architect at NSFOCUS, told eWEEK that his firm was not surprised by the new NTP server results.

"The initial number of the vulnerable servers was very high," he said. "Over 95 percent of them were patched within the first few months after the exploitation of the NTP server was first made public, which is an impressive number."

There could be a couple of reasons why more NTP servers were not patched, Chong said. One potential reason is that the administrators of these servers are not aware of the NTP server vulnerability. Another is that the remaining unpatched NTP servers are not properly documented or tracked and the administrators are not aware of their existence.

"Organizations need to do an internal audit of their network to find out if there are any undocumented or unmanaged NTP servers within their environment," Chong said.

Not all of the NTP servers surveyed by NSFOCUS have the same existing capability for DDoS amplification. There is a class of NTP servers that could potentially enable an attacker to amplify traffic by 700 times. In the May survey, 2,121 of the 17,647 NTP servers were identified as being able to hit the 700x amplification mark for a DDoS. That said, the NSFOCUS report noted that there is the potential to enhance an NTP server to enable a 700x attack.

"It is possible that some or all of the 17,647 unpatched servers can be enhanced," Chong confirmed.

In its report, NSFOCUS outlines a potential doomsday scenario, where a DDoS attack with a similar composition to the one that hit spam service SpamHaus in March 2013 is able to leverage the full power of a 700x NTP amplification. In the SpamHaus attack, the site was hit by a 300G-bps attack. With full amplification, NSFOCUS suspects that an attack volume in the terabits-per-second range might be possible, though it is unlikely.

"Technically, it is possible to generate a 1,700G-bps attack with the existing 17,000 unpatched servers, but the numbers are decreasing," Chong said. "And with some ISPs and carriers already putting in measures to filter large NTP traffic, the possibility of this happening is low."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.