ntp amplification threat advisory
DESCRIPTION
How to stop NTP amplification DDoS attacks Quick takeaways in 10 slidesTRANSCRIPT
www.prolexic.com
NTP-AMP: DDoS Amplification Tactics
Highlights from a Prolexic DDoS Threat Advisory
www.prolexic.com2
What is DDoS amplification?
• Amplification makes a DDoS attack stronger• An attacker sends a small message to a third-party
server, pretending to be the target• The server responds with a much larger message
to the target• Repeated requests result in a denial of service
attack– The flood of unwanted traffic keeps the target site too
busy, causing it to crash or respond too slowly to users
www.prolexic.com3
Why NTP amplification?
• Network Time Protocol (NTP) is a common Internet protocol
• Servers use NTP to synchronize computer clocks• Some versions of NTP are vulnerable to use in
DDoS amplification attacks• Attackers create lists of vulnerable servers• A DDoS attack tool called NTP-AMP uses NTP and
amplification lists to create massive denial of service attacks
www.prolexic.com4
NTP attacks: an emerging DDoS trend
Number of Attacks Ave. Peak Bandwidth Ave. Peak Packets Per Second (pps)
0%100%200%300%400%500%600%700%800%900%
371%
217%
807%
Percent Increase in NTP Amplification AttacksFebruary 2014 vs January 2014
www.prolexic.com5
Many industries have been targeted
• Finance• Gaming• e-Commerce• Internet• Media• Education• Software-as-a-service (SaaS) • Security
www.prolexic.com6
How NTP-AMP works
• monlist: IP addresses and statistics for the last 600 clients that have asked an NTP server for the time
• The NTP-AMP tool asks an NTP server for its monlist, while pretending to be the target.
• The NTP server sends its monlist to the target.• The monlist is big! – In a worse-case situation, a single 60-byte request
packet could generate a 22,000-byte response• The attacker may use many NTP servers, but with
this much amplification, fewer are needed
www.prolexic.com7
Don’t be a part of an attack: Configure your NTP servers properly
• Got an NTP server?• Run a monlist
query.• If you get a
response like this one, it is imperative that you change the server configuration to disable this type of response.
www.prolexic.com8
If you are a target of an NTP attack
• NTP-AMP is in active use in DDoS attack campaigns• Prolexic stops NTP-AMP attacks• The NTP-AMP Threat Advisory by the Prolexic
Security Engineering and Response Team (PLXsert) explains how to mitigate NTP-AMP DDoS attacks– Target mitigation using ACL entries– NTP-AMP IDS Snort Rule against victim NTP server
www.prolexic.com9
Threat Advisory: NTP-AMP DDoS toolkit
• Download the threat advisory, NTP-AMP: Amplification Tactics and Analysis
• This DDoS threat advisory includes:– Indicators of the use of the NTP-AMP toolkit– Analysis of the source code– Use of monlist as the payload– The SNORT rule and target mitigation using ACL entries
for attack targets– Mitigation instructions for vulnerable NTP servers– Statistics and payloads from two observed NTP
amplification DDoS attack campaigns
www.prolexic.com10
About Prolexic (now part of Akamai)
• Prolexic Technologies is the world’s largest and most trusted provider of DDoS protection and mitigation services
• Prolexic has successfully stopped DDoS attacks for more than a decade
• Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers