Dealing with distributed denial of service attacks is a fact of life for many organizations that manage complex IT infrastructure. Whether motivated by political, financial or personal motives, DDoS attacks have the ability to take critical assets offline for days or weeks at a time, necessitating investment in mitigation tools such as out-of-band console servers. Banks and online video gaming services are among the most frequent targets of DDoS, but organizations across all verticals should consider shoring up their defenses, now that attacks have gone to the next level in terms of scale and novelty.
DNS reflection amplification is still the most popular DDoS tactic, but attackers are increasingly exploring alternatives. Now that the number of public DNS servers has fallen (in large part to reduce DNS reflection attack surfaces), DDoS perpetrators are focusing on the Network Time Protocol, which ensures that computer clocks accurately display the time of day. A recent wave of attacks against online game "League of Legends" and various Electronic Arts properties kicked off a trend of high-profile, NTP-based campaigns.
However, the new risks of NTP exploitation fully came to the fore with a recent attack against content delivery network CloudFlare. One of the company's partners was bombarded with a DDoS attempt that peaked at around 400 Gb/s, making it the largest campaign ever, surpassing the 300 Gb/s incident targeting anti-spam organization SpamHaus last year.
Once pigeonholed as a small-time tactic, NTP-based DDoS constituted more than two-thirds of DDoS traffic through the first week of 2014. Going forward, organizations must be prepared for the prospect of high-volume DDoS that may use unconventional means. It will be key for them to understand how to respond to incidents involving NTP in particular, and to initiate new conversations about how to harden Internet infrastructure against increasingly frequent attacks.
Network Time Protocol DDoS attacks come to the fore
Traditional DNS reflection amplification involves sending packets from a forged IP address to a server that immediately responds, thinking that the request is legitimate. The returned data is much larger than the original transmission, creating an opening for perpetrators to ultimately overwhelm the victim's site with meaningless traffic.
The amplification factor for DNS reflection is 8x, meaning that with just 10 machines, each running at 1 Gb/s, attackers can hit the target with 80 Gb/s. In rare instances, the SNMP protocol has been exploited to carry out extremely amplified attacks, with a theoretical amplification factor of 650x. Still, despite the promise of such an approach on paper, DDoS instigators for now have opted for well honed or simple tactics that require little infrastructure, as demonstrated by the rise of DDoS-as-a-service products such as DNS Flooder, which provide access to hosted resources.
Organizations should be mindful of NTP-based attacks because of how easily they can be conducted. For starters, there are thousands of accessible NTP servers around the Internet that could be enlisted for DDoS purposes. On a more technical level, NTP is a UDP-based protocol that has built-in commands that sometimes send lengthy replies to requests, making them ideal for exploitation. Amplification may be up to 10 times stronger than in DNS reflection, and the monlist feature in NTP can return the addresses for as many as 600 machines that recently interacted with a given NTP server.
"At some level, stopping an attack like this requires having more resources than the attacker is able to muster," stated CloudFlare CEO Matthew Prince. "NTP attacks are definitely on the rise. Because the amplification factor per misconfigured server can be 10x as large as a typical DNS amplification attack, they pose a significant risk."
Moreover, NTP is an old protocol, first formulated in 1985. Often overlooked, it hasn't been updated to bring it in line with the current landscape, making it an ideal target for attacks. The vulnerabilities extend to NTP servers at large, with one vendor estimating that as many as 7 million of them may be open to harm.
CloudFlare, League of Legends incidents show that attacks on NTP are cause for concern
Illustrating all of these points, the campaign against CloudFlare involved just a single compromised server. It sent an average of 87 Mb/s across more than 4,500 NTP servers on almost 1,300 networks, resulting in a 400 Gb/s DDoS attack.
The incident was the high-water mark in a rising tide of NTP-based attacks since December 2013. Motivations vary, and the one for the CloudFlare campaign isn't clear. When League of Legends was disrupted by NTP DDoS, the perpetrators appeared to be trying to sabotage the reputation of a prominent individual who broadcasts his gameplay on the streaming site Twitch.
These types of high-volume incidents are becoming commonplace. Security blogger Brian Krebs has continually fought off attacks directed at his site, and these campaigns have reached 200 Gb/s – once a remarkable figure, but now par for the course in the realm of DDoS.
What can organizations do to protect themselves from DDoS, particularly attacks that involve NTP? Fortunately, the solution is mostly straightforward because it addresses basic oversights in how NTP is utilized and secured.
Many devices ship with NTP support, despite not really needing it. Administrators can modify the software that they use to implement protocols such as NTP, resulting in a better ratios of data response size to request. In some cases, reconfiguring an NTP-enabled computer may not be a viable option, so organizations can instead consider traffic filtering.
During classic DNS reflection amplification attacks, such filtering is tough because it requires careful differentiation between spoofed and legitimate traffic – erroneously screening out the latter can exacerbate the issues at the hand. With NTP-based campaigns, matters are much simpler. Routers can be set up to reject traffic from open NTP servers, usually with few consequences, though administrators still need to follow best practices for determining if a given packet's path is plausible, given its originating IP address
With more attention, NTP-based attacks can be mitigated. Still, organizations will need to take these security lessons to heart as they prepare themselves for new types of DDoS and ensure the viability of their infrastructure.