According to the advisory, the technique leverages NTP servers to overwhelm a victim system with UDP traffic. As Cloudflare researcher John Graham-Cumming explained, NTP is used by machines connected to the internet to set their clocks accurately. For example, the clock configuration on a Mac computer is actually the address of an NTP server run by Apple. NTP is widespread, used by not just desktops but also all manner of connected devices to sync their clocks.
NTP servers also support monitoring services that allows administrators to query the server for traffic counts of connected clients. The query is done with the “monlist” command, which actually counts as a vulnerability (CVE-2013-5211). The monlist feature of NTP is enabled by default on older NTP-capable devices.
The basic attack vector consists of an attacker sending a "get monlist" request to a vulnerable NTP server. The command causes a list of the last 600 IP addresses that connected to the NTP server to be returned. In a NTP amplification attack, the source address is spoofed to be that of an unwitting victim, who then receives the list. Several queries could easily rack up enough traffic from the results to overwhelm the victim’s resources.
“Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” US-CERT explained. “Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.”
Because of the pervasiveness of NTP, it’s a relatively simple attack to carry out.
“An attacker, armed with a list of open NTP servers on the Internet, can easily pull off a DDoS attack using NTP,” said Graham-Cumming. “And NTP servers aren't hard to find. Common tools like Metasploit and NMAP have had modules capable of identifying NTP servers that support monlist for a long time. There's also the Open NTP Project, which aims to highlight open NTP servers and get them patched.”
The solution, US-CERT said, is simply to disable the monlist functionality within the NTP server, or to upgrade to the latest version of NTP (4.2.7), which does not automatically enable it.