Prolexic Technologies and Arbor Networks both issued warnings to organizations this week about the increased threat of NTP amplification DDoS attacks.
According to Akamai-owned Prolexic Technologies, DDoS attacks using NTP amplification surged in popularity this year, fueled by the availability of new DDoS toolkits that make it easy to launch high-bandwidth, high-volume DDoS attacks against online targets.
“During the month of February, we saw the use of NTP amplification attacks surge 371 percent against our client base,” said Stuart Scholly, SVP/GM Security, Akamai Technologies. “In fact, the largest attacks we’ve seen on our network this year have all been NTP amplification attacks.”
On Monday, Arbor Networks also highlighted the significant spike in NTP attacks over the past few months.
Arbor Networks’ Chris Sellers noted in a blog post that NTP attack traffic started to rise at the end of 2013, approaching and exceeding 400Gb/s most days through February.
Across its ATLAS system customer base, Arbor Networks said the bandwidth of NTP traffic has declined slightly entering into March, but remains at 300Gb/s on most days, far above the 50Gb/s in late January. However, Arbor said traffic peeked at nearly 800Gb/s on March 04, shortly before midnight UTC.
NTP stands for Network Time Protocol, which runs over port 123 and is used to synchronize clocks between machines on a network. In December, researchers at Symantec noticed an uptick of attacks targeting the protocol. US-CERT warned about these types of distributed denial-of-service attacks earlier this year.
“NTP is effective as an amplification source because the responses can be hundreds of times the size of the queries,” Matthew Prince, CEO of Cloudflare told SecurityWeek previously. “This means that an attacker with a list of a relatively small number of vulnerable NTP servers can generate a large attack. Generally, you only need about 1/10th the number of misconfigured NTP servers as you do open DNS resolvers to launch an attack of the same size.”
“While NTP amplification attacks have been a threat for many years, a number of new DDoS attack toolkits have made it easier for malicious actors to launch attacks with just a handful of servers,” Prolexic explained in its advistory. “With the current batch of NTP amplification attack toolkits, malicious actors could launch 100 Gbps attacks – or larger – by leveraging just a few vulnerable NTP servers.
From February 2014 to January 2014, the number of NTP amplification attacks increased 371.43 percent, according to Prolexic, while the average peak DDoS attack bandwidth increased 217.97 percent. The average peak DDoS attack volume increased 807.48 percent, the company said.
Prolexic’s advisory noted that the NTP amplification attacks were broad and did not focus on any particular sector.
According to a recently released threat report (PDF) from Black Lotus, NTP attacks now represent the most serious threat to the availability of public networks, with 40 percent of the serious attacks measured by the DDoS protection firm being NTP-based attack types.
Content delivery and web security firm Cloudflare experienced an NTP Amplification-based attack that topped 400Gbs against its infrastructure in late February when attackers targeted one of its customers.
On February 9 and February 10, Black Lotus said it observed NTP attacks as large as 421 Gbps, one believed to be the same attack CloudFlare experienced on the same day.
Earlier this month, Meetup.com experienced an outage stemming from a DDoS attack associated with a cybercriminal extortion attempt, though the company did not say if the attack used NTP amplification.
*Updated with additional data from Black Lotus