NTP Reflection and DDoS

Let’s say a company runs a promotion for a free can of soup. And let’s say that 1000 of your friends decide to send the soup company your address instead of theirs. You would likely get 1000 cans of soup! Now consider that 10,000 people decided to use your address for their free soup… Unless the soup company was clever and noticed it was sending you a lot of soup, you’d get enough soup to fill your living room, and then some. (With any luck a local homeless shelter would be a big winner.)

On the Internet, bad guys can do something similar. Some services take a small query and return a large result. Consider the lowly URL: a few characters can get your browser to show you a screen full of pictures, far more data than the couple dozen characters in the URL itself. That web page is delivered to you over a connection using TCP (the Transmission Control Protocol and the TCP in TCP/IP). But some other Internet services use UDP, the User Datagram Protocol. While TCP uses a connection similar to a phone call, UDP uses a service that acts sort of like postcards – you fill out a packet and send it to the destination. Maybe, it gets there, maybe it doesn’t; maybe the other end responds, maybe not.

DNS (the Domain Name Service) uses UDP for it’s “what is the IP address for www.google.com” kind of queries. NTP, the Network Time protocol uses it, too. NTP is used to synchronize clocks around the world so stuff all has appropriate timestamps. Main and file transfer applications need this, for example. Well, (and now we are getting to the nitty-gritty of the issue, finally) NTP has some features that reply with a lot of information for a small query.

If someone on the Internet sends a UDP query to a server, he or she can put bogus information into that query. Specifically she can say “this query came from Bill”. Like the soup promotion, if she and her friends sent out ten thousand queries “from Bill” and asked for a lot of information, Bill would get all that information. It turns out that people have done that and sent gigabytes of information to their targets, shutting down their Internet connections in what’s called a Distributed Denial of Service or DDoS. We talk about this in Learning Tree Course 468, System and Network Security Introduction and Computerworld gives the details of how this has been used with NTP.

Fortunately, most NTP server sites are patched now and the impact of this reflection DDoS attack is minimized. But other DDoS attacks are still possible. Unfortunately, they are hard for a victim to avoid. As I mentioned, we talk more about this in 468, so I hope I see you there.

Until then,

John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.