Network time protocol: The latest weapon

The evolution of NTP in DDoS attacks has established a new ‘normal’ as 100 Gbps attacks have become common.

Tags: Arbor Networks (
  • E-Mail
Network time protocol: The latest weapon Mahmoud Samy, regional director, Arbor Networks
By  Mahmoud Samy Published  July 24, 2014

Who would have imagined that network time protocol (NTP) — such an innocuous protocol designed to synchronise the clock on a laptop, smartphone, tablet, and network infrastructure devices — would be abused to cause so much damage? But NTP reflection/amplification DDoS attacks are the current weaponised DDoS technique of choice for DDoS attacks.

The NTP protocol, which dates back to the 1980s, has been abused for years as it has been utilised for NTP reflection/amplification attacks. What changed is that the gaming attacks in October 2013 popularised how NTP can be abused and utilised in a DDoS attack. A number of high-profile NTP reflection/amplification DDoS attacks were launched against online gaming services to disrupt high-profile professional gaming events, interfere with new product launches and exact revenge from rival players. This, in turn, led to a quick escalation in attack sizes, due to the large amplification ratio of NTP, which was approximately 1,000 to 1.

This evolution of NTP in DDoS attacks has established a new ‘normal’ as 100 Gbps attacks have become relatively common, but attacks of 300-plus Gbps have also been recorded. In February of 2014 alone, there were over 43 separate 100-plus Gbps attacks globally. Even small DDoS attack volumes are able to impact availability and disrupt the performance of servers, applications, or services that are brittle, fragile and non-scalable. Large attacks generate significant collateral damage en route to their target due to their extreme bandwidth consumption on ISP networks and at their various interchange points.

What is an NTP reflection/amplification attack and why is it so dangerous?
An amplification DDoS attack is when an attacker makes a relatively small request that generates a larger response/reply, which is true of most server responses. A reflection DDoS attack is when forged requests are sent to a very large number of Internet-connected devices that reply to the requests that use IP address spoofing, where the ‘source’ address is set to the IP address of the actual target of the attack, where all replies are sent. A reflection/amplification DDoS attack combines both techniques for a DDoS attack, which is both high-volume and difficult to trace back to its point(s) of origin.

An NTP attack has been implemented in all major operating systems, network infrastructure and embedded devices. There are over 100,000 abusable NTP servers with administrative functions incorrectly open to the general Internet. Anti-spoofing deployment gaps exist at network edges. NTP has a high amplification ratio of approximately 1,000 times. Furthermore, attack tools are readily available, making these attacks easy to execute. This equates to a significant risk for any potential target, which should not be taken lightly.

As a result, organisations from large ISPs to enterprises need to address this network-level risk with a network-scale approach.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code