Is Your Organization Running Out of Time in the Battle Against NTP Attacks?

From ISPs to enterprises, all businesses must extricate their collective heads from the sand and tackle the DDoS threat posed by large volumetric attacks. Darren Anstee explains how…

Attack methodologies are constantly evolving as attackers find new ways or re-use old methods to achieve their goals. So far this year one Distributed Denial of Service (DDoS) attack mechanism has really stood out; the use of the Network Time Protocol (NTP) to amplify the volumes of traffic attackers are capable of generating.

NTP reflection attacks exploit the NTP servers on the internet that are used to synchronize the clocks on our laptops, smartphones, tablets and other network infrastructure devices. Some NTP servers can be used to amplify the capability of an attacker. Traffic is sent from the attacker to one or more exploitable NTP servers with a spoofed source address – that of the intended victim). The NTP server responds to the command by flooding the intended victim with up to 1,000 times the amount of traffic originally sent by the attacker.

NTP attacks are a serious issue due to their high amplification ratio, the relatively large number of exploitable servers on the internet and the lack of anti-spoofing filters in many networks.  Tools have become readily available to both launch attacks and discover exploitable servers, and in fact many of the commercial DDoS services now also support this attack vector. Consequently, it is easy for an attacker to generate enough traffic to saturate the internet connectivity of most enterprises and smaller data centres.

NTP reflection attacks are by no means new, but it was not until October 2013 that they appeared on the radar of most organizations’. A number of well-publicised NTP attacks were launched against online gaming services designed to disrupt high profile professional gaming events, interfere with new product launches and exact revenge from rival players. This well publicized sequence of attacks appears to have popularised the NTP reflection attack vector – leading to possibly the most concentrated storm of large volumetric DDoS attacks ever seen, in Q1 2014.  

NTP attacks are a serious issue due to their high amplification ratio, the relatively large number of exploitable servers on the internet and the lack of anti-spoofing filters in many networksDarren Anstee, Director of Solutions Architects, Arbor Networks

To illustrate this point, Arbor’s ATLAS system, using data from 290+ service providers around the world, saw more than eight times the number of attacks over 20Gb/sec in 2013 than in 2012.  In the first quarter of 2014, ATLAS saw 1.5 times the number of attacks over 20Gb/sec seen in the whole of 2013. Some 72 events were monitored at over 100Gb/sec in the first quarter of this year, the largest of which was a 325Gb/sec attack against a destination in France. This is the largest verified attack ever seen on the internet.

Given the size and frequency of these attacks, organizations need to ensure they have adequate DDoS defenses in place. From large ISPs to enterprises, all businesses need to address the
risk posed by large volumetric DDoS attacks. If the appropriate configurations and
processes, services and solutions are put in place then organizations can effectively
protect themselves and their customers from this threat:

  • Preventing abuse – service provider organizations need to ensure that they have anti-spoofing filters deployed at the customer edge of their networks
  • Remediating NTP services – organizations should proactively scan for and remediate abusable NTP services on their networks to reduce the capability available to attackers.
  • Detecting attacks – organizations need to leverage flow telemetry to automatically detect, classify, trace-back and alert on DDoS attacks. Ideally, specific configuration should be in place to facilitate early detection and mitigation of NTP reflections attacks.
  • Mitigation capabilities – pre-configure network based mitigation techniques i.e. Flowspec, blackhole, QoS mechanisms etc., so that they are ready if needed. And deploy intelligent mitigation services and solutions.  
  • Mitigating attacks – ensure operations teams are familiar with the tools and processes needed to deal efficiently with the current crop of NTP attacks

As NTP reflection attacks continue, it has never been more important for organizations to ensure they have the right defenses in place. By configuring their security and networking infrastructure  appropriately and gaining a better understanding of the threat, organizations can deflect these attacks much more successfully.


Darren Anstee is the Director of Solutions Architects for Arbor Networks, based in the UK. Darren has over 19 years of experience in the pre-sales, consultancy and support aspects of telecom and security solutions. Currently, Darren is involved in both research and operational activities at Arbor in relation to their network threat detection, mitigation and traffic visibility solutions. Prior to joining Arbor, Darren spent eight years working in both pre- and post-sales for core routing and switching product vendors.


What’s hot on Infosecurity Magazine?