Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Attackers use NTP reflection in huge DDoS attack

Lucian Constantin | Feb. 12, 2014
Attackers abused insecure Network Time Protocol servers to launch what appears to be one of the largest DDoS (distributed denial-of-service) attacks ever, this time against the infrastructure of CloudFlare, a company that operates a global content delivery network.

What these protocols have in common is that they allow a relatively small query to generate a large response and are vulnerable to source IP spoofing if certain precautions are not taken because they work over UDP (User Datagram Protocol).

Instead of hitting a target's IP address directly with traffic generated by a botnet with a combined bandwidth of, say, 10Gbps, attackers could use the botnet to send spoofed queries to a list of open DNS or NTP servers. Those queries could be crafted to appear as if they came from the victim's IP address and could trigger large responses from those servers to that address.

In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.

DNS reflection was commonly used in DDoS attacks last year, including in the attack against Spamhaus, prompting calls from Internet infrastructure groups and security researchers to organizations to identify and secure their DNS servers against this type of abuse.

SNMP reflection attacks are relatively rare, because the protocol is usually used with authentication and there are few open SNMP servers on the Internet, CloudFlare said in its January blog post.

However, NTP servers that are vulnerable to reflection attacks are apparently not that rare and attackers have caught on to this. NTP servers are used by computers and other devices to synchronize their clocks so many of them are publicly accessible.

Security vendor Symantec reported in December that it observed a spike in the number of NTP reflection attacks. Then in early January the same technique was used to attack online gaming servers.

"NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes," CloudFlare explained in January. "It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack."

Organizations can use the Open NTP Project to identify vulnerable NTP servers in their IP address ranges and can follow instructions provided by security research outfit Team Cymru to secure them on different OSes.

The U.S. Computer Emergency Response Team recommends updating NTP servers to at least ntpd (Network Time Protocol daemon) version 4.2.7, which addresses the monlist issue by default. Older versions need to be manually configured to restrict the functionality.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.