Upload
prolexic
View
180
Download
3
Embed Size (px)
Citation preview
1
NTP-‐AMP DDoS Attacks: A Cyber Security Threat
Selected excerpts
The Security Engineering and Response Team (PLXsert) at Prolexic (now part of Akamai) recently published a Distributed Denial of Service (DDoS) Threat Advisory about a serious up-‐and-‐coming cyber security threat: NTP amplification attacks. The NTP-‐AMP DDoS threat advisory describes the cyber-‐attack and shares a Snort rule and DDoS defense instructions for attack mitigation by the target and best practices for NTP server administration. Fueled by the availability of new Network Time Protocol (NTP) amplification DDoS toolkits that make it simple for malicious actors to generate high-‐bandwidth, high-‐volume DDoS attacks against online targets, the NTP amplification attack method has surged in popularity, making it one of the most popular DDoS attack types in 2014, as reported by Prolexic. With only a handful of vulnerable NTP servers, the current batch of NTP amplification attack toolkits enable malicious actors to launch 100 Gbps attacks – or larger. The most recent toolkit uses an NTP server’s own list of recent server connections – as many as 600 IP addresses – as the payload to create malicious traffic at the target site. What makes the NTP-‐AMP attack so powerful? The NTP protocol has a few methods that can be exploited to launch a DDoS amplification attack. One of the more common methods observed recently is the monlist request. Monlist is a feature within the NTP protocol that lists the address of, and statistics about, the last 600 clients that have connected to a server for NTP time service. The abuse of the monlist request is not new but has definitely hit a trending status. The amplification is dramatic. If every request received a response and every server responded with the maximum amount of traffic, 1 Gbps of request traffic would yield 366 Gbps of response traffic destined for the primary target. In real-‐world environments NTP monlist responses vary wildly in size, which will affect the total attack bandwidth directed to the primary target. With such significant amplification, malicious actors can produce harmful attacks using only a few systems. With the use of NTP scanners, malicious actors could refine their NTP lists to include only servers that respond with the maximum response size and two NTP servers could easily generate more than 100 Gbps of amplified reflection traffic. As with all DrDoS (Distributed Reflected Denial of Service) flooding tools, raw sockets are used by
2
the NTP-‐AMP DDoS toolkit to craft the IP and UDP headers to allow IP spoofing. Elevated privileges are required for the use of raw sockets on any modern operating system. Therefore, the execution of the NTP amplification tools requires attackers to either set up their own servers or compromise a server and elevate privileges in order to make the operating system create raw socket connections. What an NTP-‐AMP attack looks like Shown below in Figure 1 is a sample of malicious traffic replicated to emulate the actual NTP_AMP DDoS campaigns Prolexic mitigated for its customers.
Figure 1: Traffic observed by the primary target network using tcpdump
Get the full NTP-‐AMP DDoS threat advisory for a full analysis and mitigation techniques In the threat advisory, PLXsert shares its insight into NTP Amplification attacks:
• Indicators of the use of the NTP Amplification toolkit • Analysis of the source code • Use of monlist as the payload • The SNORT rule and target mitigation using ACL entries for attack targets • Mitigation instructions for vulnerable NTP servers • Statistics and payloads from two observed NTP Amplification DDoS attack campaigns
About Prolexic Prolexic Technologies (now part of Akamai) is the world’s largest and most trusted provider of DDoS protection and mitigation services. Learn more at http://www.prolexic.com.