NTP Amplification

What is an NTP amplification attack?

NTP amplification is a specialized form of distributed denial-of-service (DDoS) attack that exploits the Network Time Protocol (NTP) to overwhelm victims with high volumes of traffic. By abusing the user datagram protocol (UDP) in NTP transactions, attackers can amplify small requests into much larger responses.

NTP-based DDoS attacks often set records for the largest volumetric attacks, surpassing 2 Tbps. As attackers leverage more vulnerable NTP servers, the extensibility of these attacks continues to grow.

Understanding NTP Amplification

NTP is a UDP-based protocol used to synchronize computer clocks on the Internet. Here’s how attackers exploit it to amplify DDoS attacks:

• The attacker spoofs the IP address of the victim and sends a small UDP request to a vulnerable NTP server.
• The NTP server, thinking the request is legitimate, returns a much larger UDP response to the spoofed victim’s IP address.
• By bouncing responses off thousands of NTP servers, the attacker leverages amplification factors of 50x, 100x, or more.
• This allows relatively small requests of just a few kilobits to generate gigabits or terabits of attack traffic flooding the victim.
• Common NTP commands like monlist are abused to generate huge responses.

With access to an increasing number of vulnerable, publicly accessible NTP servers, attackers can easily overwhelm victims. The spoofed UDP traffic appears to come from legitimate NTP hosts rather than the actual attack sources.

The History of NTP Amplification Attacks

NTP amplification rose to prominence as a DDoS vector starting in late 2013. Some milestone attacks include:

• Spamhaus DDoS (2013) – At the time, one of the largest DDoS attacks on record, this 300+ Gbps attack leveraged NTP amplification to target European anti-spam group Spamhaus.
• GitHub DDoS (2018) – GitHub was impacted by a 1.35+ Tbps memcached amplification attack. It was the biggest volumetric DDoS attack observed at that point.
• REvil DDoS Campaign (2020) – Cybercriminal group REvil launched a series of NTP amplification attacks, peaking at 580 Gbps, targeting organizations in financial services, eCommerce, and government. These attacks were mitigated with Imperva DDoS Protection.

NTP-based attacks continue to make headlines as amplification techniques evolve, reflecting a growing trend of abusing legitimate protocols and services to carry out DDoS attacks.

Technical Aspects Enabling NTP Amplification

Several technical aspects of NTP enable its exploitation for high-volume traffic amplification:

• UDP protocol: NTP relies on connectionless UDP which allows easy spoofing of source IP addresses. Using TCP would prevent this with its three-way handshake.
• Amplifying commands: NTP commands like monlist return very large volumes of data allowing amplification ratios over 100x.
• Misconfigured NTP servers: Publicly accessible NTP servers that are poorly configured or unpatched allow attackers to bounce spoofed requests off them.
• IP spoofing: The ability to forge the source IP address on requests is key. This allows disguising the actual attack sources.
• High bandwidth: NTP servers are provisioned with large Internet bandwidth to handle many clients globally. This has the ability to enhance amplification volumes.

How to Mitigate NTP Amplification Attacks

Organizations can take various steps to defend against NTP-based DDoS attacks:

Patch NTP Software

Updating NTP server software removes dangerous amplifying commands like monlist. Enabling authentication also prevents anonymous abuse.

Block Unused Protocols

Blocking outbound UDP traffic reduces the external attack surface. Inbound filtering of UDP port 123 prevents reception of NTP.

Limit Access

NTP servers should restrict access to authorized hosts rather than allowing global access. This prevents them being used as DDoS reflectors.

Monitor Traffic

Monitoring tools can detect unusual spikes in outbound NTP traffic that can indicate your systems are being used in an attack.

Cloud-Based DDoS Protection

A cloud-based DDoS protection service, like Imperva DDoS Protection, scrubs attack traffic and can absorb massive volumes without impacting your infrastructure.

Persistent Risk of NTP Amplification

While techniques exist to mitigate NTP-based DDoS attacks, there are still ways for attackers to exploit the protocol:

• Lack of authentication: Most NTP implementations still do not require authentication, allowing anonymous abuse.
• Ubiquitous amplifying commands – Dangerous commands like monlist remain enabled by default on many vulnerable NTP servers.
• Poor NTP hygiene:  Misconfigurations like external access, monitoring, and flaws in huge NTP server deployments provide attackers easy reflectors.
• Insecure IoT ecosystem: The proliferation of insecure IoT devices enables them to be compromised and used in DDoS botnets that can carry out massive NTP attacks.

How Imperva Can Help Mitigate NTP Attacks

Imperva DDoS Protection proxies all incoming traffic to block layer 3/4 and layer 7 attacks, such as NTP amplification attacks, from reaching a customer’s infrastructure.

Imperva secures websites, networks, DNS servers, and individual IPs from the largest and most sophisticated types of DDoS attacks with minimal business disruption. The cloud-based service keeps businesses up and running at high-performance levels, even if they’re under attack.

The high-capacity global network from Imperva scales as needed to absorb the largest attacks that can overwhelm an organization’s web applications.

Imperva DDoS Protection is part of the Imperva Application Security Platform, which also consists of the market-leading web application firewall (WAF), Advanced Bot Protection, API Security, and more.