Feb 12, 2014

Why are network time protocol amplification attacks more disruptive that other DDoS attacks?

Earlier this week, there was a DDoS attack on a Cloudflare customer that reached 400 gigabits per second and actually slowed network traffic across Europe. Apparently, it was a network time protocol amplification attack. What makes this type of attack so much more disruptive than other types of DDoS attacks?

US-CERT Warns of NTP Amplification Attacks

"US-CERT has issued an advisory that warns enterprises about distributed denial of service attacks flooding networks with massive amounts of UDP traffic using publicly available network time protocol (NTP) servers.

Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists is a classic set-and-forget feature and is used generally to sync clocks between servers and computers. The protocol is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification."

There is an article here on IT World about this attack that you might like to check out.


Here is a description of these types of attacks from US-CERT that you also might find useful:

"Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request.  Where before, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack, now a single packet can generate tens or hundreds of times the bandwidth in its response.  This is called an amplification attack, and when combined with a reflective DoS attack on a large scale it makes it relatively easy to conduct DDoS attacks." 

Answer this