The initial months of 2014 saw a dramatic increase in the number of NTP-based distributed denial-of-service (DDoS) attacks, according to multiple DDoS mitigation vendors. But one report cautions that SYN floods are still more likely to cause enterprises damage.
You don't need a sophisticated DDoS mitigation service to stop a NTP-driven flood.
product evangelist, Incapsula
The 2013-2014 DDoS Threat Landscape Report, issued last week by cloud-based DDoS mitigation service provider Incapsula Inc., indicated that as recently as December 2013, there were less than half as many NTP-based DDoS attacks than large SYN floods.
However, that gap may be closing. Websites protected by Incapsula experienced a barrage of NTP-based DDoS attacks in February; overtaking large SYN floods during that period. The company even expanded the scope of its report to take note of the trend. All told, NTP-based attacks made up almost 15% of the network-focused DDoS attacks the company saw against its clients.
Incapsula is not the only DDoS mitigation provider to notice this recent spike in NTP amplification activity. Fort Lauderdale, Fla.-based Prolexic, now owned by Akamai Technologies Inc., saw such attacks against its clients surge 371% in the month of February alone.
The Network Time Protocol (NTP) -- an Internet standard that is used to synchronize time across networks of computers -- has become an attractive target for attackers because it can be used to amplify DDoS attacks. Client systems ping NTP servers to initiate a time request exchange, with the synchronization typically happening every 10 minutes.
The packets that are sent back from NTP servers to clients can be hundreds of times larger than the initial request comparison, according to a January blog post by DDoS mitigation provider CloudFlare Inc.'s John Graham-Cumming. In comparison, DNS replies, which are typically used in amplification attacks, are limited to only eight times as much bandwidth.
NTP DDoS attacks: A fad or here to stay?
NTP is hardly a new protocol though, so why the attention now?
Igal Zeifman, product evangelist for Redwood Shores, Calif.-based Incapsula, described the use of NTP in DDoS attacks as largely "a fad" resulting from recent successful attacks -- and subsequent media attention -- that took advantage of the protocol.
The issue dates back to mid-January when US-CERT issued an advisory warning of NTP amplification attacks making use of CVE-2013-5211, which essentially allowed attackers to DDoS targets by using a forged "MON_GETLIST" request. This caused an NTP server to send the attacker a list of potential victims in the form of the last 600 IP addresses connected to the server.
A month later, in a highly publicized affair, CloudFlare fought off an NTP-based amplification DDoS attack against an unnamed client that reportedly hit peak bandwidth of just under 400 Gbps. Days after the CloudFlare incident, Burlington, Mass.-based Arbor Networks Inc. confirmed separately that it had observed an NTP amplification attack hitting peak speeds of 325 Gbps.
Despite the likelihood that more copycat attackers will take advantage of NTP, Zeifman said that enterprises using DDoS protections have no need to panic, though other organizations that don't employ a third-party provider to handle large-scale DDoS attacks should be wary of such attacks.
"High-volume NTP traffic is immediately suspicious and can almost immediately be disregarded," said Zeifman. "You don't need a sophisticated DDoS mitigation service to stop a NTP-driven flood."
Enterprises should be worried more about typical SYN floods, according to Zeifman, because SYN packets are much more common on any network. This makes it more difficult for even dedicated DDoS mitigation service providers to differentiate between malicious and legitimate traffic.
SYN flooding also remains the most widely used DDoS technique, Ziefman noted. Combined, normal and large-scale SYN floods accounted for half of all the network-based DDoS attacks in Incapsula's report and large-scale SYN floods alone made up over half of the DDoS attacks that reached peak speeds of 20 Gbps or more.
More worryingly, the report indicates that four out of every five recent DDoS attacks used at least two techniques, Zeifman said, with the combination of normal and large-scale SYN floods making up 75% of those multi-vector DDoS attacks.
A normal SYN flood is based around an attacker sending a large number of SYN packets via fake IP addresses to a server, so the corresponding ACK response is never sent back to complete the TCP three-way handshake -- meaning an attacker can take up all of a server's open connections.
According to Zeifman, large-scale SYN floods, on the other hand, are focused purely on clogging network pipes with overwhelming traffic. The combination of the two techniques makes perfect sense for attackers looking to cover all the bases, he said.
"If DDoS is like breaking into a house, this technique is like trying the front door and the side windows," said Zeifman. "Attackers are hoping that one of the two is unprotected."