American information security experts warned about new DDoS attacks that leverage the Network Time Protocol (NTP) to enhance garbage traffic. The United States Computer Emergency Readiness Team (US-CERT) published a special newsletter for corporate users about the threat because they tend to be the targets of DDoS attacks.
NTP servers are used to increase DDoS traffic. But this method is not new. Hackers have been using network protocols SNMP, CHARGEN and NTP for several years to enhance attacks.
Such attacks are usually delivered by substituting the sender’s IP address and suggesting the presence of intermediaries like web servers or other hardware connected to the network- i.e. printers, cameras, routers, hubs, or sensors. Attackers exploit vulnerabilities in standard network protocols and turn supporting devices into tools for carrying out DDoS attacks: the exploited hardware redirects the attacker’s requests towards the target.
Therefore, the attackers kill two birds with one stone. They disguise the real source of the threat (the victim receives traffic from the intermediaries only) and increase the parasitic traffic. A number of intermediary hosts are capable of responding to short and carefully designed requests with an impressive flood of inquiries aimed at the target. The simple NTP using UDP offers an opportunity to intensify attacks since it allows responding to packets with a spoofed source IP address. A launch of at least one of the built-in commands, more specifically, MON_GETLIST, responds with a long answer to a short query.
The efficiency of such attacks is further increased because responses contain valid data from legitimate servers.
Attacks with NTP amplification have, until recently, been relatively rare, but in 2013 their number suddenly grew. In December and January, NTP amplification hit several popular gaming services: EA.com, Battle.net, League of Legends and the garbage traffic rate peaked as high as 100 Gbit/s.
Another problem is that the NTP is a protocol that is normally configured only once. The NTP service is seldom updated so attackers can easily find a lot of vulnerable NTP servers on the Web and use them.
DDoS attacks are regularly used by hackers against various large and middle-sized resources. They often do it just to bully websites, but they frequently add DDoS attacks when trying to blackmail and cause direct damage to a business or cover any intrusion attempt. Regardless of the goal of intruders, a DDoS attack is always a serious problem that is extremely hard to resolve.
It is possible to secure yourself against DDoS attacks. First, you need to update and reconfigure NTP: the support of a monlist command in the version 4.2.7p26 is limited. You can rule out the chance of its launch and external access to the service can also be restricted.
The site of the Open NTP project also gives you an opportunity to scan for a vulnerability in your own infrastructure. You should do this before attackers start “working” with your company.
This kind of attack is essentially another wake-up call for corporate users and IT departments. Once again, we can see that attackers are finding ways to harm by exploiting common tools in an unordinary way. In this case, the protocol is usually configured only once and forgotten. Nothing can be overlooked when working to provide proper IT security.