NTP Amplification Attacks, the latest DDoS weapon (and how to protect yourself from it)

During the last few months, we’ve seen an increased amount of NTP amplification attacks. It’s an attack technique, similar to the previous wave of DNS amplification attacks, mostly used by script kiddies (but also by black hats) to take sites/servers offline.

The technique behind of the attack is pretty simple; using public NTP servers, the attacker sends a request and spoof the source address. This makes NTP server respond to the the target server (instead of the real source). Using a large network of NTP servers, the vast volume of these responses will then likely knock the site/servers offline.

Unfortunately there are plenty of public NTP servers out there that are exposed to this vulnerability.

How do you protect yourself?

Protecting yourself from DDoS attacks in general is a tricky subject. At CloudSigma, we already have DDoS mitigation built into our cloud. While that goes a long way, if you’re a high-profile target, you might also want to look into external services like CloudFlare for extra protection.

Secure your NTP servers!

If you’re running a public NTP server, you really need to make sure that you’re not exposed to this vulnerability. The easiest way to check this is to use the ntp-monlist plugin for Nmap and run a scan against your servers.

An easier solution is of course not to make your NTP servers public.

Further reading

If you want to learn more about this topic, the following articles might be a good starting point:

Share this Post

About Viktor Petersson

Former VP of Business Development at CloudSigma. Currently CEO at WireLoad and busy making a dent in the Digital Signage industry with Screenly. Viktor is a proud geek and loves playing with the latest technologies.