DDoS Attacks Target Network Timing Protocol

Distributed denial-of-service (DDoS) attacks often utilise different techniques to drown Websites under a flood of traffic.

But now the United States Computer Emergency Readiness Team (US-CERT) is warning of an increased risk from DDoS attacks that leverage the Network Time Protocol (NTP) to amplify the attack volume.

NTP Exploit

NTP is a widely deployed Internet protocol that is primarily used as a time-keeping technique for clock synchronisation. Simply requesting the time from an NTP server is not, however, what attackers are using to execute DDoS attacks.

Instead, attackers are abusing a feature in NTP that enables administrators to query an NTP server about connected clients and their traffic counts. The query is made via a “monlist” command.

“This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim,” US-CERT warns. “Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim.”

US-CERT also warns that since NTP traffic is typically considered legitimate, it can be difficult for administrators to block the attack.

The monlist command is also at the root of a known vulnerability referred to as CVE-2013-5211, which has been patched in the latest release of NTP. US-CERT warns that all versions of the NTP prior to version 4.2.7 are at risk

Amplification attacks have become much more well-known and observed throughout service provider and enterprise networks in the last 12 to 18 months, Paul Scanlon, principal product line manager at Juniper Networks, told eWEEK.

In March 2013 one of the largest DDoS attacks ever recorded leveraged a Domain Name System (DNS) amplification technique to hit Spamhaus with 300 Gbps of traffic.

“The expansion of the amplification attack technique from DNS servers to include NTP servers is a dangerous behaviour exhibited by attackers as they continue to realise that critical services using UDP designed to provide fundamental services to Internet infrastructure must be openly available and can be abused as a means to intensify attacks,” Scanlon said. “Fundamentally, the attack is exhibiting the abuse of services leveraging UDP as a transport protocol that does not require an established connection between client and server.”

NTP reflection/amplification attacks have been seen in the wild for the last six or seven years, Roland Dobbins, senior ASERT (Arbor Security Engineering and Response Team) analyst at Arbor Networks, told eWEEK.

“This technique has been used recently in high-profile attacks on gaming networks, attacks that have affected a substantial consumer base of these gaming networks; so it’s been receiving attention in the industry space, that’s the main difference,” Dobbins said. “But network operational security specialists have been dealing with these attacks for quite some time.”

Best Practices

In addition to making sure the organization is running the latest patched version of NTP, several steps can be taken to limit the risks of NTP-driven DDoS.

Every organisation with systems participating in NTP, DNS and any other service that uses UDP as its communication model must implement simple administrative techniques to reduce the possibility that attackers looking for points of reflection can abuse these services, Scanlon said.

Hardening the services is only one key step in preparing for these types of threats, Scanlon said. “Ultimately, if an organisation has mission-critical services exposed to the Internet, dedicated solutions and practices should be implemented to defend against the ever-evolving threat of DDoS attacks,” he added.

DDoS amplification attacks typically involve the attacker spoofing the target’s network address location. The responding DNS or NTP servers, in turn, are tricked into sending response traffic back to the legitimate IP address of the target. Dobbins suggests that anti-spoofing technologies such as unicast reverse-path forward (uRPF), Cable IP Source Verify, DHCP Snooping and even simple anti-spoofing access-control lists (ACLs) be deployed.

Additionally, network operators should routinely scan their IP address space (and that of their customers) for insecurely configured services that can be abused by attackers, Dobbins said.
“But anti-spoofing is the key to making all the various flavours of reflection/amplification attacks impossible for attackers to launch in the first place,” Scanlon said.

DDoS Trends

DDoS attacks continue to mount. In the fourth quarter, DDoS attacks rose 26 percent year-over-year, according to Prolexic’s latest Global DDoS Attack Report.

“DDoS attacks are evolving from high-bandwidth volumetric attacks that bring down Web servers to highly sophisticated targeted attacks that threaten availability of critical business applications and resources,” Scanlon said. “DDoS volumetric flood attacks are still a problem for online businesses, but with the right defense in place, these attacks can be nullified.”

The trend of attackers leveraging critical services such as NTP is disturbing and should raise awareness concerning the need to reduce attackers’ ability to spoof or forge machine IP addresses, Scanlon said. “The emerging trend of using critical services such as DNS and NTP should be yet another alarm bell that further investment and work must be done to continue to remove dark corners of the Internet that allow these threats to be disruptive,” he said.

Are you a security pro? Try our quiz!

Originally published on eWeek.