NTP: DDoS Evolves into 400 Gbps Monster Attacks

Written by Joe Kozlowicz on Wednesday, February 19th 2014 — Categories: Networking and Fiber, Security

You may have seen recent headlines about NTP attacks, a new variation of Distributed Denial of Service Attacks (DDoS) that is driving massive attacks with up to 400 Gbps of traffic overwhelming servers. Victims have included Xbox Live, customers at CloudFlare, and hosting company OVH.

What Are NTP Amplified Attacks?

The new NTP attacks take advantage of Network Time Protocol, which is used to sync timestamps between servers and networks. Hackers amplify their attacks through NTP, by sending a small packet to the NTP server under the guise of the target IP. The NTP automatically replies to the spoofed IP with the last 600 IP addresses that connected. The specific command used is “monlist”, which replies with the list of IP addresses.

In a standard DDoS attack, packets of information are sent to a server in such quantity that they block all other traffic and essentially shut down the server as it cannot keep up. NTP amplification attacks allow small packets to return significantly larger data sets, flooding the target server much faster.

One attack reported by Cloudflare, a web security company, reached nearly 400 Gbps of traffic, the largest ever recorded. Black Lotus, another security company, studied the attacks and discovered that 69% of all DDoS traffic in the first week of January 2014 was NTP reflection.

Detecting and Stopping NTP and DDoS Attacks

To discover if a UNIX or Linux platform server has the monlist command enabled, use the command “ntpdc”: /usr/sbin/ntpdc <server IP>, then input “monlist”. Monlist will respond in interactive mode. If monlist is enabled, upgrade to the latest version of ntpd (at least 4.2.7), which disables the command. To disable older versions enter the following commands:

restrict default kod nomodfy notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

Stopping DDoS attacks in general can be more difficult. Policers limit the amount of NTP traffic allowed, but are only effective on higher bandwidth networks with at least 40 Gbps connections. DDoS mitigation systems with flow analysis and Border Gateway Protocol (BGP) diversion are another method of heading off DDoS attacks. These tools scan incoming traffic for signs of DDoS traffic, then segregate the attack packets from legitimate traffic.

The scale of DDoS attacks has increased dramatically in the past year or so, jumping from tens of gigabytes to hundreds per second. A combination of vigilance and preparation, as well as DDoS specific planning as part of a business continuity plan, can help keep business systems online in the case of malicious attack.

Read more about the recent NTP attacks:


Posted By: Joe Kozlowicz

Chat Now