By Ben Fischer, Arbor Networks.
Who would have imagined that Network Time Protocol (NTP) — such an innocuous protocol designed to synchronise the clock on your laptop, smartphone, tablet, and network infrastructure devices — could be abused to cause so much damage? NTP reflection/amplification DDoS attacks are the current weapon of choice, especially those 1Gb/second and larger —some now exceed 300Gb/second. Attacks of 100Gb/second have become fairly common, as readily-available tools have armed slews of copycat attacks. Even small DDoS attack volumes are able to impact availability and disrupt the performance of servers, applications, or brittle, fragile and non-scalable services. Large attacks generate significant collateral damage en-route to their target due to their extreme bandwidth consumption on ISP networks and at their various interchange points.
When did the NTP reflection/amplification attack craze start?
In October of 2013, a number of high-profile NTP reflection/amplification DDoS attacks were launched against online gaming services to disrupt high-profile professional gaming events, interfere with new product launches, and exact revenge from rival players. This was noticed by tens of millions of gamers and was promptly reported on by the media. The Arbor Security Engineering and Response Team (ASERT) tracked NTP traffic attacks for over six months.
NTP traffic from December 2013 through March 2014.
As you can see from the above chart, prior to late December 2013, NTP traffic was almost non-existent. From December 2013 to March 2014, there has been a dramatic rise. In fact, much of this traffic is due to NTP reflection/amplification attacks.
The table above shows NTP attacks as a percentage of all attacks from December 2013 through March 2014, by BPS (bytes per second) and PPS (packets per second).
Why is an NTP reflection/amplification attack so harmful?
It’s ubiquitous. NTP has been implemented in all major operating systems, network infrastructure and embedded devices. There are over a hundred thousand abusable NTP servers with administrative functions open to the general internet. Anti-spoofing deployment gaps exist at network edges and NTP has a high amplification ratio of over a thousand. Furthermore, attacks tools are easy to get hold of, making these attacks easy to execute. This equates to a significant risk for any potential target, which shouldn’t be taken lightly.
What can organisations do?
Organisations ranging from large ISPs to enterprises need to address this network-level risk with a network-scale approach. Consider the following best practices to minimise damage and maximise network availability:
- Ensure that you have anti-spoofing deployed at the edges of your networks.
- Leverage flow telemetry exported from all network edges, to automatically detect, classify, trace back, and alert DDoS attacks.
- Deploy network infrastructure-based reaction/mitigation techniques such as Source-Based Remotely-Triggered Blackholing (S/RTBH) and flowspec at all network edges to mitigate attacks.
- Deploy Intelligent DDoS Mitigation Systems, in centres located at topologically appropriate points within the ISP network to mitigate attacks to protect critical infrastructure (DNS, NTP, etc.) and enterprise network connections.
- Subscribe to a global ‘Clean Pipes’ DDoS mitigation service offered by your ISP/MSSP to provide an additional layer of protection in addition to on-premise protection.
- Deploy Quality-of-Service (QoS) mechanisms at all network edges to police non-timesync NTP traffic down to an appropriate level (e.g. rate limit all 400-byte or larger UDP/123 traffic (source) down to 1Mb/sec).
Proactively scan for and remediate abusable NTP services on the ISP and customer networks to reduce the number of abusable NTP servers. Also, check http://www.openntpproject.org for any abusable NTP servers that have been identified on your network or your customers’ networks.
At BT, we have partnered with world-class DDoS vendor, Arbor, for the past seven years and, together, developed the comprehensive solutions that are offered to our customers today. Working together, we successfully mitigated a recent attack on a large UK retail organisation of 54Gb/sec. To learn more about what your organisation can do to detect and protect yourselves from DDoS attacks, see a demonstration on the stand at this year’s IA14…
If you’re responsible for the delivery of IA, cyber security in government or the critical national infrastructure, this is your opportunity to engage in the debate with senior colleagues across government and academia.
Register here for your place at IA14 and visit us on stand seven or join our day two collaboration workshop.