Many organizations have secured NTP servers against amplified DDoS attacks, findings of a new report suggest, though thousands of vulnerable servers still exist and new data suggests other similar vulnerabilities may soon surface.
In a report released this week, Beijing-based distributed denial-of-service (DDoS) mitigation appliance provider NSFOCUS Information Technology Co. noted a steep decline in a popular DDoS attack technique used against Web servers.
The Network Time Protocol (NTP) is a long-established Internet standard used for synchronizing time across networks of computers. NTP servers have become a juicy target for attackers during the last six months -- it was recently discovered that client machines can issue the GET_MONLIST command, which when received by a server causes it to send back a list of up to 600 IP address of the clients that most recently pinged it.
While a single query to an NTP server can be as small as 64 bytes, the corresponding return message can be as large as 482 bytes -- meaning an NTP-based DDoS attack can be amplified by a factor of over 700. In comparison, DNS amplification, which was supposedly behind the massive DDoS attack against SpamHaus, only reaches an amplification factor of around eight.
Attackers know that math works in their favor, hence they have used NTP servers for a wave of DDoS attacks this year. Hollywood, Florida-based DDoS mitigation provider Prolexic Technologies saw such attacks against its clients surge by more than 300% in February alone, while a report from Redwood Shores, California-based vendor Incapsula Inc. showed that NTP amplification overtook large SYN floods during the same period. San Francisco-based CloudFlare Inc. also reportedly fought off an NTP amplification DDoS attack in February that peaked at nearly 400 Gbps, one of the largest DDoS attacks ever recorded.
The new NSFOCUS report however shows a significant decrease in the number of vulnerable servers. In a December 2013 worldwide server scan, the vendor found more than 400,000 NTP servers allowed the GET_MONLIST command, with more than 1,200 of those servers susceptible to the largest amplification factor. After recently conducting the scan again, it found fewer than 20,000 vulnerable servers remained.
Terence Chong, solutions architect for NSFOCUS, said the "huge drop" in vulnerable servers was likely due to the ease with which the issue could be mitigated when compared to patching the Heartbleed OpenSSL vulnerability, which Errata Security's Robert Graham recently noted is going at a snail's pace.
"All organizations need to do is upgrade or patch their server to the latest version," said Chong. "If they don't want to patch, they can go in and manually disable this GET_MONLIST feature. This is a much easier patch to do."
Despite the massive overall decline in vulnerable servers, the number of servers susceptible to the largest NTP amplification attacks nearly doubled from December to May. Chong said that statistic is probably the result of attackers finding fewer vulnerable servers as more were patched. With fewer NTP servers left to use, attackers likely flooded the remaining servers with more requests, according to Chong, which caused the amplification factor to grow for those servers as they could return larger IP address lists.
While Chong was pleased that so many servers have been patched in recent months, he warned that other protocols exist on servers that may be similarly vulnerable.
For instance, NSFOCUS has been researching the Simple Network Management Protocol (SNMP), which enterprise IT teams use to monitor network devices. Chong said SNMP has a default communication word string, akin to a password, which many organizations simply never change.
Chong said that SNMP-based DDoS attacks do have a much lower amplification factor than NTP, but that it is just one example of how easy it is for attackers to take advantage of such protocols.
"Rather than the usual way of acquiring botnets or renting servers," which can be costly, said Chong, "attackers will keep looking for these available servers and devices to use them as attacking tools."