Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
2
19
2014
12.18.2020

NTP: DDoS Evolves into 400 Gbps Monster Attacks

Last updated:
9.16.2020
12.18.2020
No items found.

You may have seen recent headlines about NTP attacks, a new variation of Distributed Denial of Service Attacks (DDoS) that is driving massive attacks with up to 400 Gbps of traffic overwhelming servers. Victims have included Xbox Live, customers at CloudFlare, and hosting company OVH.

What Are NTP Amplified Attacks?

The new NTP attacks take advantage of Network Time Protocol, which is used to sync timestamps between servers and networks. Hackers amplify their attacks through NTP, by sending a small packet to the NTP server under the guise of the target IP. The NTP automatically replies to the spoofed IP with the last 600 IP addresses that connected. The specific command used is “monlist”, which replies with the list of IP addresses.

In a standard DDoS attack, packets of information are sent to a server in such quantity that they block all other traffic and essentially shut down the server as it cannot keep up. NTP amplification attacks allow small packets to return significantly larger data sets, flooding the target server much faster.

One attack reported by Cloudflare, a web security company, reached nearly 400 Gbps of traffic, the largest ever recorded. Black Lotus, another security company, studied the attacks and discovered that 69% of all DDoS traffic in the first week of January 2014 was NTP reflection.

Detecting and Stopping NTP and DDoS Attacks

To discover if a UNIX or Linux platform server has the monlist command enabled, use the command “ntpdc”: /usr/sbin/ntpdc <server ip="">, then input “monlist”. Monlist will respond in interactive mode. If monlist is enabled, upgrade to the latest version of ntpd (at least 4.2.7), which disables the command. To disable older versions enter the following commands:</server>

restrict default kod nomodfy notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

Stopping DDoS attacks in general can be more difficult. Policers limit the amount of NTP traffic allowed, but are only effective on higher bandwidth networks with at least 40 Gbps connections. DDoS mitigation systems with flow analysis and Border Gateway Protocol (BGP) diversion are another method of heading off DDoS attacks. These tools scan incoming traffic for signs of DDoS traffic, then segregate the attack packets from legitimate traffic.

The scale of DDoS attacks has increased dramatically in the past year or so, jumping from tens of gigabytes to hundreds per second. A combination of vigilance and preparation, as well as DDoS specific planning as part of a business continuity plan, can help keep business systems online in the case of malicious attack.

Read more about the recent NTP attacks:

http://www.ibtimes.co.uk/largest-ever-ddos-cyber-attack-hits-us-european-victims-1435973
http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/
http://www.us-cert.gov/ncas/alerts/TA14-013A

Posted By: Joe Kozlowicz

Recent Blog Posts

lunavi logo alternate white and yellow
7.21.2021
07
.
19
.
2021
How Lunavi Approaches Digital Transformation: HostingAdvice Company Profile

For prospective clients and partners, the history, ethos, and capabilities of a vendor are paramount. HostingAdvice.com recently profiled Lunavi to explore our approach.

Learn more
lunavi logo alternate white and yellow
5.20.2021
04
.
26
.
2021
Test Automation Best Practices: Balancing Confidence with Efficiency

Automation can instill confidence to release software and improve the team’s ability to create high-quality applications in the fastest and most efficient way possible. Essentially, it eliminates the need to compromise or choose one set of priorities over another. Instead, it allows teams to strike a balance between confidence/coverage and speed/efficiency. But automation isn’t a one-size-fits-all solution.

Learn more
lunavi logo alternate white and yellow
8.17.2021
04
.
20
.
2021
Building Your Cloud Foundation Part 1: Core Configuration & Governance

This first area of focus establishes your cloud policy, or the way your organization consumes and manages cloud resources. Learn how to establish proper scope and mitigate tangible risks through corporate policy and standards.

Learn more