NTP Flood: Amped and Dangerous

We recently hosted a live distributed denial of service (DDoS) simulation webinar featuring Andrew Shoemaker of NimbusDDoS. During the Q&A session, Andy fielded many questions about network layer attacks, and NTP amplification in particular. We’ll look at NTP attacks and what you can do about it.

NTP Amplification

NTP amplification is a type of DDoS event where the attacker exploits publicly-accessible network time protocol (NTP) servers to overwhelm a target with user datagram protocol (UDP) packets.

NTP is used to synchronize clocks on Internet-connected devices. Older versions also provide a monitoring service, monlist, that lets administrators retrieve a list of the last 600 hosts that connected to an NTP server. Meanwhile, UDP is a connectionless protocol that doesn’t involve handshaking. As a result, a requesting IP address cannot be verified.

In the most basic type of amplification attack, a perpetrator repeatedly sends a get monlist request to a number of NTP servers, meanwhile spoofing the requesting IP address as that of a target. The obliging NTP servers dutifully send their lists of hosts to the spoofed address.

For example, a single request packet might be 234 bytes. The response might be divided among ten packets totaling 4,460 bytes. At scale, such an NTP-driven DDoS event would use up significant bandwidth and have a high packet rate.

The response(s) being amplified by the successive monlist requests, ultimately the targeted system suffers a degradation of service. We reported on the Vikingdom DDoS attacks on U.S. government sites last year, the attacks although small were enough to take some .gov sites offline for hours.

Reflection Attacks

NTP amplification is a type of reflection attack, which elicits a response from a server to a spoofed IP address. Here, amplification refers to producing a response that is disproportionate to the original request. In this case, even a single response exceeds the size of a single get monlist request. Now consider multiple responses arriving from multiple NTP servers.

With DNS amplification, the query/response size ratio is between 1:28-1:53; an attacker running one device with 1Gbps of traffic could effectively direct attacks half as much in size against a target.

In the NTP amplification variant, the ratio can be between 20:1 and 200:1 or more, up to 1:556.9 according to US CERT. Any perpetrator armed with a list of available NTP servers (acquired by using a tool like Metasploit, or data from the Open NTP Project) can easily launch a high-bandwidth, high-volume DDoS assault.

Mitigation Methods

Interestingly, the 2014 Heartbleed vulnerability led many NTP server admins to either manually disable monlist or upgrade ntpd (the NTP daemon) to version 4.2.7 or newer. Older versions can also be manually restricted. PC World reported that same year that the number of worldwide NTP servers subject to exploitation decreased from 432,120 to 17,647. But yet the threat still exists.

“That reminds me Marty, you better not hook up to the
amplifier; there’s a slight possibility of overload” – Doc Brown

Computerworld states that “organizations can use the Open NTP Project to identify vulnerable NTP servers in their IP address ranges and can follow instructions provided by security research outfit Team Cymru to secure them on different OSes.”

As with many other perils, mitigating NTP amplification events is challenging because the server responses are supposedly legitimate traffic. Moreover, the DDoS traffic volume could easily overwhelm even the most resilient of network infrastructures. Therefore, mitigation is achieved through a combination of overprovisioning and traffic filtering.

Incapsula protects against a NTP amplification attack: 180Gbps and 50 million packets per second

The Incapsula global network protects against volumetric DDoS threats by scrubbing out malicious bots and attack vectors from traffic. The global network scales on demand to absorb and deflect multi-10Gbps DDoS threats—including NTP amplification attacks. Our positioning as a cloud provider ensures that DDoS traffic is filtered outside of your network, where it can’t harm any target.

To see what happens during a DDoS attack, check out the webinar recording below.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.