The Multi-Gigabit DDoS Threat, Part 3: Turning Up The Heat With NTP Amplification

Two weeks ago and last week I explained how DDoS attacks have grown from the Smurf and Fraggle attacks into DNS Amplification attacks flooding up to 300 Gbps at a target. Learning Tree’s System and Network Security Introduction course provides useful background.

Things have gotten worse.

NTP Amplification has become the weapon of choice, making 200-400 Gbps DDoS attacks the new normal as Krebs on Security put it.

NTP (Network Time Protocol) includes an odd monlist command. A small NTP packet to an NTP server asks it to report the 600 most recent hosts that have asked it for the current time. I’m sure that can be of some use in debugging an NTP implementation. Otherwise I can’t imagine any legitimate use. But there certainly is an illegitimate use…

First, scan through blocks of IP addresses on high-speed networks sending monlist commands to UDP port 123, where NTP listens. If you get any response back, put that host in the list of helpfully misconfigured NTP servers.

Then apply the same multi-level attack architecture I described for DNS amplification. The attacker’s machine controls a large botnet of “trigger hosts”, each of them sending streams of NTP packets purportedly asking those open NTP servers to send their monlist output toward the target.

I say “toward” and not “to” because there’s a good chance the packets will never make it there. Some network bottleneck, probably the link between the target’s border router and their ISP, will be completely saturated. The amplification ratio is even greater here, 206× instead of 60×.

The attack wouldn’t need that two-level architecture to be devastating. CloudFlare explains that an attacker with a 1 Gbps connection on a network allowing IP source address spoofing could generate over 200 Gbps of DDoS traffic. They compare two amplification DDoS attacks they have seen:

DNS Amplification using 30,956 open DNS resolvers yielding 300 Gbps

NTP Amplification using 4,529 NTP servers yielding 400 Gbps

More recently, CloudFlare wrote about NTP-based DDoS attacks and then got further into the details of a 400 Gbps attack.

Attacks will continue to evolve. We expect SNMP Amplification to dominate next. All it takes is a number of poorly configured devices, reachable from the Internet while running SNMPv2c with a default community string (that is, password) of public. Prolexic reports seeing 14 SNMP Amplification DDoS attacks between early April and mid May, 2014. The attacks issue GetBulk commands, so requests of 40 bytes trigger over 68,000 bytes in response, an amplification factor above 1700&times.

What should you do?

For your intended public-facing NTP servers, make certain that monlist is disabled. Use the NTP scanner to scan all your public IP blocks, even if you don’t think you’re running any NTP servers. Surprising systems including embedded supervisory control systems have shipped with NTP servers supporting monlist enabled by default and poorly documented.

For your public-facing SNMP devices, change their authentication and run SNMPv3 if possible. Don’t pass SNMP through your border routers.

Going back to last week’s topic, make sure your DNS servers are not open resolvers.

Then come back next week and I’ll tell you about some cloud technology that can help to mitigate problems caused by other organization’s vulnerabilities.

Bob Cromwell

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.