To understand how an NTP amplification attack works, you need to imagine yourself as a shy 8-year-old child at a family gathering. You’ve slipped away to sit by yourself in a corner reading a comic book so you don’t have to have your cheeks pinched or your hair tousled. Things are going just fine: you’re minding your own business and everyone else is minding theirs. And then your idiot cousin tells your Grandma that you want to hear all about her last hernia operation.
You didn’t actually ask for this horrible barrage of information, but because someone requested it on your behalf, it’s coming your way anyway. Combine that with your website going down, a potential loss of revenue and consumer trust, damage to your software or hardware, and stolen consumer information, intellectual property or financial data, and that’s basically an NTP amplification attack.
Time for trouble
According to internet security firm Incapsula’s DDoS attack glossary, NTP amplification is a variety of DDoS attack in which an attacker uses NTP servers to overwhelm a targeted server with traffic.
NTP stands for Network Time Protocol, which is the protocol used to synchronize the clocks of internet-connected machines. It’s obviously an essential protocol. Unfortunately, many older versions of NTP still support a type of monitoring that allows administrators to send a ‘get monlist’ command to an NTP server, which prompts a server to reply with a list of the last 600 hosts that connected to the server in question.
In order to make an NTP amplification attack work, an attacker will spoof the targeted server’s IP and then send a ‘get monlist’ command to one or more NTP servers. Because the spoofed IP looks real to the NTP server, it immediately replies to the targeted server with that hefty list of 600 connections. That’s where the amplification part of NTP amplification comes in: the response is much bigger than the initial query. In a typical NTP amplification attack, the ratio weighs in anywhere from 20:1 to over 200:1.
The threat to website owners
In the past few years you’ve undoubtedly heard about DDoS attacks getting bigger and more devastating, and often involving multiple attack types. NTP amplification is valuable to attackers because it can be used to increase the volume of attacks, which is probably why Incapsula saw a shift towards NTP amplification in 2014.
One of the highest-profile multi-vector DDoS attacks in 2014 was a five-vector attack against an online gambling site. This attack utilized NTP amplification and peaked at over 100 gigabytes per second. If that sounds shocking, then prepare yourself. A DDoS attack against a DDoS protection service used NTP amplification among other attack vectors to reach a staggering 400 gigabytes per second.
The problem with protocol
In terms of different types of DDoS attacks, NTP amplification falls into the protocol attack category. Protocol attacks exploit existing internet protocols to target servers or communication equipment like load balancers or firewalls.
Protocol attacks can be hard to deal with because internet or network protocols exist for a reason; they exist to help the internet run. They’re not like bugs or vulnerabilities that can be patched or eliminated. In the case of NTP amplification, traffic from NTP servers can’t be blocked because it’s usually legitimate. The other problem with protecting against NTP amplification is the sheer volume of this type of attack, which easily overwhelms network infrastructure.
Dealing with NTP amplification means a combination of traffic filtering and overprovisioning. The most effective mitigation for volume-based attacks like NTP amplification will intercept and filter attack traffic outside of the client network, so only legitimate traffic ever reaches the client. This requires a powerful scrubbing server, the likes of which only a professional DDoS protection service will have.
Whether it’s an 8-year-old hearing about a hernia surgery or a website server being slammed with lists of 600 host connections, no one should be on the receiving end of major information they haven’t actually requested. Not much can be done to help that 8-year-old, but your website can be protected. Look into it before it’s too late.
