One thing that makes DDoS protection so challenging is that while we and other providers of network security work furiously to shut down one vector of attack, the hackers are working just as hard to figure out how to exploit yet another vulnerability. Through late 2013 and all of 2014, for example, we saw hackers begin to change their focus from DNS servers to NTP servers.
If DNS servers are the telephone books of the internet, NTP servers are the time-keepers. They’re what millions of computers, phones, and other devices use to sync their built-in clocks. While that sounds innocuous – and, for the most part, it is – NTP servers have some inherent vulnerabilities that act as a siren song for aspiring attackers.
Reflection
NTP servers are set up to send responses only to the address where the request originated. That’s a potentially huge obstacle in a DDoS attack because, theoretically, you shouldn’t be able to attack anyone but yourself. But many NTP servers allow spoofing, which means they accept queries from falsified IP addresses. In a process called reflection, spoofing makes it seem as if the request is coming from the target of the attack, but it’s actually coming from a third party. If the server doesn’t realize that, it sends a “response” to a server that never even asked for one.
Amplification
While there are more open DNS servers than NTP servers, NTP servers have a much higher amplification factor. Amplification is simply the ability to generate a big response from a small request. It’s what lets hackers launch attacks that are much bigger than their own available bandwidth. NTP servers are the perfect environment for amplification because so many of them support the MONLIST command. That means they keep a list of the last 600 addresses the server interacted with, and they’ll send that list out when requested. In an NTP-based DDoS attack, the attacker sends a server a spoofed request for its MONLIST. That server then sends all 600 of those addresses to the target of the attack. That’s an amplification factor of around 200, meaning a hacker could generate a response that takes up 200 times the bandwidth of the original request. When you draw additional servers into the attack – each with its own list of 600 addresses – you can see how the surge in traffic could easily overwhelm a network.
The key to preventing DDoS attacks of any type is your ability to stay one step ahead of the attackers. Because they never stop; even before security experts shut down one vector of attack, they’re working on another. So, at the same time you’re defending your network from one attack, you have to simultaneously predict what form the next attack will take. That’s why so many businesses choose to outsource their DDoS protection; it’s a full-time job all by itself. But whether you choose to outsource your network security or manage it in-house, make sure there’s always a clear focus on what’s coming next.
