www.prolexic.com

NTP-AMP: DDoS Amplification Tactics

Highlights from a Prolexic DDoS Threat Advisory

www.prolexic.com2

What is DDoS amplification?

• Amplification makes a DDoS attack stronger• An attacker sends a small message to a third-party

server, pretending to be the target• The server responds with a much larger message

to the target• Repeated requests result in a denial of service

attack– The flood of unwanted traffic keeps the target site too

busy, causing it to crash or respond too slowly to users

www.prolexic.com3

Why NTP amplification?

• Network Time Protocol (NTP) is a common Internet protocol

• Servers use NTP to synchronize computer clocks• Some versions of NTP are vulnerable to use in

DDoS amplification attacks• Attackers create lists of vulnerable servers• A DDoS attack tool called NTP-AMP uses NTP and

amplification lists to create massive denial of service attacks

www.prolexic.com4

NTP attacks: an emerging DDoS trend

Number of Attacks Ave. Peak Bandwidth Ave. Peak Packets Per Second (pps)

0%100%200%300%400%500%600%700%800%900%

371%

217%

807%

Percent Increase in NTP Amplification AttacksFebruary 2014 vs January 2014

www.prolexic.com5

Many industries have been targeted

• Finance• Gaming• e-Commerce• Internet• Media• Education• Software-as-a-service (SaaS) • Security

www.prolexic.com6

How NTP-AMP works

• monlist: IP addresses and statistics for the last 600 clients that have asked an NTP server for the time

• The NTP-AMP tool asks an NTP server for its monlist, while pretending to be the target.

• The NTP server sends its monlist to the target.• The monlist is big! – In a worse-case situation, a single 60-byte request

packet could generate a 22,000-byte response• The attacker may use many NTP servers, but with

this much amplification, fewer are needed

www.prolexic.com7

Don’t be a part of an attack: Configure your NTP servers properly

• Got an NTP server?• Run a monlist

query.• If you get a

response like this one, it is imperative that you change the server configuration to disable this type of response.

www.prolexic.com8

If you are a target of an NTP attack

• NTP-AMP is in active use in DDoS attack campaigns• Prolexic stops NTP-AMP attacks• The NTP-AMP Threat Advisory by the Prolexic

Security Engineering and Response Team (PLXsert) explains how to mitigate NTP-AMP DDoS attacks– Target mitigation using ACL entries– NTP-AMP IDS Snort Rule against victim NTP server

www.prolexic.com9

Threat Advisory: NTP-AMP DDoS toolkit

• Download the threat advisory, NTP-AMP: Amplification Tactics and Analysis

• This DDoS threat advisory includes:– Indicators of the use of the NTP-AMP toolkit– Analysis of the source code– Use of monlist as the payload– The SNORT rule and target mitigation using ACL entries

for attack targets– Mitigation instructions for vulnerable NTP servers– Statistics and payloads from two observed NTP

amplification DDoS attack campaigns

www.prolexic.com10

About Prolexic (now part of Akamai)

• Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and mitigation services

• Prolexic has successfully stopped DDoS attacks for more than a decade

• Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers