Protecting against NTP DDoS Attacks

Network Time Protocol (NTP) is one of the oldest components of the online world. It’s also one of the most important, and every device that connects to the internet - whether it’s a PC, server, tablet, smartphone or anything else - will use it.

My colleague Lori MacVittie has a great, detailed explanation of exactly what it is and why it’s so important here. Basically, as she points out, NTP is the internet’s time keeper; it’s how your device knows what time it is when it’s online.

But it’s also much, much more important than that. Timestamps and time synchronisation are vital to services such as web performance monitoring, caching, failover, availability and automation. Again, Lori’s article goes into great detail about its importance to the enterprise.

Because of its importance and ubiquitousness NTP servers have become a prime target for DDoS attacks. This article on TechTarget points out that the first few months of 2014 saw a big increase in the number of NTP DDoS attacks; in February alone NTP-based attacks made up 15% of all DDoS attacks tracked by one security company. Another monitoring company saw a massive rise of 371% against its clients for February.

NTP servers are an attractive target because they can be used to amplify DDoS attacks, meaning the packets sent back by the NTP server (to an IP address specified by the attackers) can be many hundreds of times bigger than what was received. This makes NTP an ideal vehicle for a DDoS attack. Security watchers are regularly seeing DDoS attacks hitting 400Gbps using NTP servers, according to recent reports. Security reporter Brian Krebs was one recent victim of an NTP DDoS attack.

There are ways of defending against an NTP DDoS attack. The attacks we’ve seen recently exploit something called the MONLIST command - a command in older NTPs that sends back a list of the 600 most recent hosts to have connected to the server. Therefore the simplest way to protect against these attacks is to upgrade to a newer version of NTP; version 4.2.7 removes the MONLIST command completely. If, for whatever reason, upgrading to the latest version of NTP is not an option then following BCP (best current practices) 38 and 84 will help. This protects against IP spoofing, one of the key components of a successful NTP DDoS attack.

For more information on protecting your business against all types of DDoS attacks, check out a new infographic we’ve put together here.

Published Apr 30, 2014
Version 1.0
No CommentsBe the first to comment