Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

US-CERT Warns of NTP Amplification Attacks

US-CERT is warning organizations about a form of distributed denial-of-service attacks that seek to overwhelm victims with UDP traffic via publically-accessible NTP servers.  

US-CERT is warning organizations about a form of distributed denial-of-service attacks that seek to overwhelm victims with UDP traffic via publically-accessible NTP servers.  

NTP stands for Network Time Protocol, which runs over port 123 and is used to synchronize clocks between machines on a network. In December, researchers at Symantec noticed an uptick of attacks targeting the protocol.

According to US-CERT, the attacks abuse the NTP service, which supports a monitoring service that allows administrators to query the server for traffic counts of connected clients via the “monlist” command. In a NTP amplification attack, an attacker sends a “get monlist” request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.

“The attack relies on the exploitation of the ‘monlist’ feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices,” according to the US-CERT advisory. “This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim. Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim.”

Since the responses are legitimate data coming from valid servers, it can be difficult for organizations to configure their defenses to block these attacks, the advisory added. All versions of NTPD (Network Time Protocol Daemon) prior to 4.2.7 are vulnerable by default and should be upgraded, US-CERT recommends. If that is not possible, the monitoring functionality can be disabled.

Roland Dobbins, senior ASERT analyst at Arbor Networks, also recommended organizations consider unicast reverse-path forward, DHCP snooping and other approaches as well to prevent spoofing and hinder amplification attacks.  

“NTP reflection/amplification attacks have been seen in the wild for the last 6-7 years,” he said. “This technique has been used recently in high-profile attacks on gaming networks, attacks which have affected a substantial consumer base of these gaming networks, so it’s been receiving attention in the industry space, that’s the main difference. But network operational security specialists have been dealing with these attacks for quite some time.”

“As is always the case, effective DDoS methodologies and techniques tend to move down-market over time from more sophisticated attackers to commodification and use by the broader base of less sophisticated attackers,” he added. “This is the case with the recent spate of high-profile NTP reflection/amplification attacks, for example — they’ve been used for years by more sophisticated attackers, and have now moved down-market in terms of being utilized by less technically-sophisticated attackers.”

*This story has been updated.

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).