Prolexic/Akamai has issued a high-alert threat advisory warning of the development. It noted that with the current batch of NTP amplification attack toolkits, malicious actors could launch 100 Gbps attacks – or larger – by leveraging just a few vulnerable NTP servers. During the recent spike, average peak DDoS attack bandwidth increased 217.97%.
"During the month of February, we saw the use of NTP amplification attacks surge 371% against our client base," said Stuart Scholly, senior vice president and general manager of security at Akamai, in a statement. "In fact, the largest attacks we've seen on our network this year have all been NTP amplification attacks."
Unlike the largest attacks of the past two years, the NTP amplification attacks in this case were not focused on any particular sector. Industries targeted by NTP amplification attacks in February included finance, gaming, e-commerce, internet and telecom, media, education, software-as-a-service (SaaS) providers and security.
This attack method has surged in popularity this year, fueled by the availability of new DDoS toolkits that make it simple to generate high-bandwidth, high-volume DDoS attacks against online targets, the firm noted.
In the Prolexic Security Engineering & Response Team (PLXsert) lab environment, simulated NTP amplification attacks produced amplified responses of 300 times or more for attack bandwidth and 50 times for attack volume, making it an extremely dangerous attack method.
The technique leverages NTP servers to overwhelm a victim system with UDP traffic. NTP is used by machines connected to the internet to set their clocks accurately. For example, the clock configuration on a Mac computer is actually the address of an NTP server run by Apple. NTP is widespread, used by not just desktops but also all manner of connected devices to sync their clocks.
NTP servers also support monitoring services that allows administrators to query the server for traffic counts of connected clients. The query is done with the “monlist” command, which actually counts as a vulnerability (CVE-2013-5211). The monlist feature of NTP is enabled by default on older NTP-capable devices.
The basic attack vector consists of an attacker sending a "get monlist" request to a vulnerable NTP server. The command causes a list of the last 600 IP addresses that connected to the NTP server to be returned. In a NTP amplification attack, the source address is spoofed to be that of an unwitting victim, who then receives the list. Several queries could easily rack up enough traffic from the results to overwhelm the victim’s resources.
“Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” US-CERT explained in an alert it issued last year about this type of attack. “Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.”
Even though the number of vulnerable servers is dwindling as IT administrators fix the machines in the wake of attack spikes like this one, it only takes a few systems to mount a large attack. A number of new DDoS attack toolkits have made it easier for malicious actors to launch attacks with just a handful of servers, Prolexic noted.