The IT industry appears to have responded well to warnings at the start of 2014 about the growing risk from DDoS amplification attacks, patching a large number of vulnerable servers, according to DDoS prevention firm NSFOCUS.
The US provider revealed new stats on Tuesday claiming that vulnerable NTP servers numbered around 21,000 globally in March and dropped again to 17,600 in May. This is down from a whopping 432,120 back in December 2013.
However, system admins still have their work cut out. The report also claimed that the number of NTP amplifiers capable of magnifying traffic by a factor greater than 700 has risen from 1,224 in December to 2,100 today.
“US-CERT and Network Time Protocol strongly advise system administrators to upgrade ntpd to version 4.2.7p26 or later,” NSFOCUS said.
“Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc – c monlist command while still allowing other status queries.”
It was the US-CERT which warned back in January of the growing threat of NTP amplification DDoS attacks making use of the publically available servers.
The pervasiveness of NTP servers around the globe is what makes them a potentially dangerous vector for such attacks if not properly protected. NTP is used by a range of connected devices to sync their clocks.
An attacker can fairly easily exploit an open NTP server by requesting a list of the last 600 IP addresses which connected to that server via a “monlist” query.
All they need to do then is to spoof the source address to that of the victim to have a barrage of results sent to overwhelm their IT systems.
The recommended upgrade to the new NTP version automatically disables the monlist functionality.
A DDoS Threat Landscape study by web security firm Incapsula released in March revealed a major shift towards NTP amplification attacks since January, with the biggest reaching 180Gbps.