http://www.prolexic.com/knowledge-center-ddos-threat-advisory-ntp-amplification.html?cvosrc=3rdParty.NationalPositions.NTP-AMP-NP | Fueled by the availability of new Network Time Protocol (NTP) amplification DDoS toolkits that make it simple for malicious actors to generate high-bandwidth, high-volume DDoS attacks against online targets, the NTP amplification attack method has surged in popularity, making it one of the most popular DDoS attack types in 2014, as reported by Prolexic. Learn more about this security threat in these excerpts from the Prolexic NTP Amplification DDoS Attack Threat Advisory.

1.
1
NTP-­‐AMP
DDoS
Attacks:
A
Cyber
Security
Threat
Selected
excerpts
The
Security
Engineering
and
Response
Team
(PLXsert)
at
Prolexic
(now
part
of
Akamai)
recently
published
a
Distributed
Denial
of
Service
(DDoS)
Threat
Advisory
about
a
serious
up-­‐and-­‐coming
cyber
security
threat:
NTP
amplification
attacks.
The
NTP-­‐AMP
DDoS
threat
advisory
describes
the
cyber-­‐attack
and
shares
a
Snort
rule
and
DDoS
defense
instructions
for
attack
mitigation
by
the
target
and
best
practices
for
NTP
server
administration.
Fueled
by
the
availability
of
new
Network
Time
Protocol
(NTP)
amplification
DDoS
toolkits
that
make
it
simple
for
malicious
actors
to
generate
high-­‐bandwidth,
high-­‐volume
DDoS
attacks
against
online
targets,
the
NTP
amplification
attack
method
has
surged
in
popularity,
making
it
one
of
the
most
popular
DDoS
attack
types
in
2014,
as
reported
by
Prolexic.
With
only
a
handful
of
vulnerable
NTP
servers,
the
current
batch
of
NTP
amplification
attack
toolkits
enable
malicious
actors
to
launch
100
Gbps
attacks
–
or
larger.
The
most
recent
toolkit
uses
an
NTP
server’s
own
list
of
recent
server
connections
–
as
many
as
600
IP
addresses
–
as
the
payload
to
create
malicious
traffic
at
the
target
site.
What
makes
the
NTP-­‐AMP
attack
so
powerful?
The
NTP
protocol
has
a
few
methods
that
can
be
exploited
to
launch
a
DDoS
amplification
attack.
One
of
the
more
common
methods
observed
recently
is
the
monlist
request.
Monlist
is
a
feature
within
the
NTP
protocol
that
lists
the
address
of,
and
statistics
about,
the
last
600
clients
that
have
connected
to
a
server
for
NTP
time
service.
The
abuse
of
the
monlist
request
is
not
new
but
has
definitely
hit
a
trending
status.
The
amplification
is
dramatic.
If
every
request
received
a
response
and
every
server
responded
with
the
maximum
amount
of
traffic,
1
Gbps
of
request
traffic
would
yield
366
Gbps
of
response
traffic
destined
for
the
primary
target.
In
real-­‐world
environments
NTP
monlist
responses
vary
wildly
in
size,
which
will
affect
the
total
attack
bandwidth
directed
to
the
primary
target.
With
such
significant
amplification,
malicious
actors
can
produce
harmful
attacks
using
only
a
few
systems.
With
the
use
of
NTP
scanners,
malicious
actors
could
refine
their
NTP
lists
to
include
only
servers
that
respond
with
the
maximum
response
size
and
two
NTP
servers
could
easily
generate
more
than
100
Gbps
of
amplified
reflection
traffic.
As
with
all
DrDoS
(Distributed
Reflected
Denial
of
Service)
flooding
tools,
raw
sockets
are
used
by

2.
2
the
NTP-­‐AMP
DDoS
toolkit
to
craft
the
IP
and
UDP
headers
to
allow
IP
spoofing.
Elevated
privileges
are
required
for
the
use
of
raw
sockets
on
any
modern
operating
system.
Therefore,
the
execution
of
the
NTP
amplification
tools
requires
attackers
to
either
set
up
their
own
servers
or
compromise
a
server
and
elevate
privileges
in
order
to
make
the
operating
system
create
raw
socket
connections.
What
an
NTP-­‐AMP
attack
looks
like
Shown
below
in
Figure
1
is
a
sample
of
malicious
traffic
replicated
to
emulate
the
actual
NTP_AMP
DDoS
campaigns
Prolexic
mitigated
for
its
customers.
Figure
1:
Traffic
observed
by
the
primary
target
network
using
tcpdump
Get
the
full
NTP-­‐AMP
DDoS
threat
advisory
for
a
full
analysis
and
mitigation
techniques
In
the
threat
advisory,
PLXsert
shares
its
insight
into
NTP
Amplification
attacks:
• Indicators of the use of the NTP Amplification toolkit
• Analysis of the source code
• Use of monlist as the payload
• The SNORT rule and target mitigation using ACL entries for attack targets
• Mitigation instructions for vulnerable NTP servers
• Statistics and payloads from two observed NTP Amplification DDoS attack campaigns
About
Prolexic
Prolexic
Technologies
(now
part
of
Akamai)
is
the
world’s
largest
and
most
trusted
provider
of
DDoS
protection
and
mitigation
services.
Learn
more
at
http://www.prolexic.com.