By Jerry Whitehead III, re-posted by Jeffrey Lyon
Detailed information and data regarding one of the most popular and devastating forms of DDoS attacks
They say that records are meant to be broken, and in the case of sizing up Distributed Denial of Service (DDoS) attacks, that has never been truer over the past few months. DDoS attacks are measured in terms of how much data per second is being directed at the target site (with the eventual hope of overloading it and rendering it offline). In their infancy and the early days of the web, attacks were measured in megabits, then gradually and in 2000 we saw our first ever 1 Gbps attack. And they have grown steadily since, culminating with the attack on Spamhaus in March 2013, which saw peaks of over 300 Gbps and was large enough to reportedly actually slow down the entire Internet in parts of Europe.
The Spamhaus DDoS attack reigned as king for nearly a year, before reports in the early part of 2014 had various attacks topping the scale at 421 Gbps. How were hackers able to increase the size and severity of their DDoS attacks in less than a year? The answer lies in relfection style DDoS attacks or DrDoS (Distributed reflection Denial of Service) attacks.
Reflection attacks are particularly devastating due to the limited manpower required to launch a massive attack. As the name might suggest, a single attacker is able to direct requests through a particular type of server, which then reflects the response back to a particular target. Depending on the size of the request versus the size of the response, traffic can quickly become tapped out (the higher the ratio of response to request, the quicker and easier it is for hackers to carry out the attack).
One particularly dangerous form of DrDoS attack utilizes the Network Time Protocol (NTP) service.
NTP is used by millions of computers in an effort to synchronize time to Coordinated Universal Time (UTC), the official time standard used by the world to regulate clocks. When a computer connects to the Internet, it will synchronize with a particular NTP server, typically by sending a small packet of data. The return data is the correct UTC time, and the computer’s date and time is correctly synchronized.
There is a different kind of data request that can be sent to an NTP server, however, known as a “monlist” command. This type of ping sent to an NTP server will result in a detailed list of the last 600 or so computers and devices that synchronized to that particular NTP server. As you can imagine, the size of the response is MUCH bigger than the size of the request, making this type of exploit ideal for attackers. They carry it out by sending forged (or “spoofed”) requests to an NTP server with the IP address of their desired target. The server then replies back to the fake request and sends the much larger response back to the target. With the tools available to today’s DrDoS attackers, sending millions of these requests is a breeze, and before too long the intended target’s network is overloaded and knocked offline.
We have covered this type of attack extensively in our recent Threat Reports, which are available for download at our website. As we mentioned, the ratio of amplification is a key factor when attackers decide which method they will use to attempt to take down a site. We have found that some of these particular type of NTP DrDoS attack have an amplification ratio of several hundred, meaning for every byte of information that is sent to the NTP server, it replies with several hundred bytes of information. Multiple sources spoofing constant NTP requests are how these attackers are regularly and easily approaching the 300-400 Gbps scope of attacks.
We have found that at one point there were over 400,000 NTP servers worldwide that are vulnerable to this “monlist” type of attack. Once this exploit was communicated throughout the DDoS circles in the early part of 2014, it was open season. Black Lotus reported an alarming 87% increase in the frequency of attacks during January 2014, and that was due in large part to the proliferation of NTP attacks. NTP attacks were also by far the most common types of attacks during January, constituting approximately 40% (4,877 of 12,108 total) severe attacks.
NTP DrDoS attacks are also responsible for the largest DDoS attacks on record. On February 9 and 10 of 2014, we observed NTP attacks taking advantage of the “monlist” query peaking at 421 gigabytes per second, which is believed to still be the highest of all time.
What can you do to protect your website or network from these styles of attacks? Black Lotus recommends the following steps be taken to improve your own network and the overall safety and stability of the web.
- Make sure your NTP server is running version NTP-4.2.7p26 or later, as anything older than this (which has not been patched) is likely participating in these DrDoS attacks. To find out which version your server is running, head to http://www.openntpproject.org/ and enter in your IP address (or range of addresses).
- If you find any out of date NTP daemons on your network, upgrade them immediately to the most current versions
- Be sure to implement BCP38 on your network, which is a way to safeguard against spoofed IPs and make sure that any request incoming to your network, be it an NTP “getlist” ping or otherwise, is genuine
- Make sure you are implementing access control lists or some sort of policy to block NTP traffic at your network’s edge, which will essentially require customers to use a specific, company-provided NTP daemon for NTP synchronization
