Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
In this type of DDoS attack, known as NTP amplification attack, the amplification technique that we call amplification is also used, as in memcached attacks.
A cyber attacker can take a targeted network or server out of service by flooding it with UDP traffic in an amplified manner. This attack is carried out by exploiting the vulnerability in NTP servers used as the network time protocol.
NTP servers, like memcached, can also respond to a small data packet with much larger sizes.
As in other DDoS amplification and magnification attacks, cyber attackers can obtain large amounts of data from NTP servers by sending small queries.
At this point, we would like to note that DNS Flood attacks differ from DNS Amplification DDoS attacks. Unlike DNS Flood, DNS amplification attacks use insecure DNS server traffic to accelerate the attack source and increase effectiveness. The cyber attacker uses devices with small bandwidth by sending many requests to DNS servers. With these small devices that are taken over, the attacker sends a large number of requests, specifying the targeted server as the return address. In this way, by amplifying, they stop the network traffic of the targeted server.
The Network Time Protocol is designed to enable internet-connected devices to synchronise their internal clocks and serves an important function in internet architecture. Using the monlist command enabled on some NTP servers, the attacker can multiply the initial request traffic, which can result in very large responses. The monlist command, which is active by default on older NTP servers, is the most important factor in this attack. With this command, the NTP server responds with the last 600 source IP addresses that made a request. Naturally, this demonstrates that a cyber attacker can carry out an attack of more than 200 GB using 1 GB of internet traffic.
In fact, NTP servers see the traffic they receive as legitimate and send legitimate traffic to the target specified in the source IP address. Since it is real traffic, mitigating this attack traffic is a difficult situation. Since there is no three-way handshake in UDP packets, traffic begins to pile up suddenly. Because there is no verification in UDP, this response is sent regardless of what happens to the target. At this point, both the use of UDP and the fact that it is legitimate traffic unfortunately allow cyber attackers to carry out a perfect reflection attack.
Unfortunately, what can be done against NTP amplification attacks is limited. Due to the high amount of traffic generated, the network structure as well as the server is affected. If the traffic coming from the ISP is not blocked, the victim subjected to the attack will go out of service after a short time. At this point, the first step is to contact the ISP and create a black hole against this situation so that incoming requests are dropped.
The most effective measure against this is to disable the Monlist feature on NTP servers. It will be an advantage if this command is disabled on NTP servers.
We must remember that NTP software is vulnerable by default before version 4.2.7. If an NTP server has been updated to version 4.2.7 or later, the monlist command will be disabled by default. If upgrading cannot be done, the instructions published by US-CERT on this subject can be followed.
Removing spoofed packets from the network is also an effective measure. ISPs have a major role to play in such attacks. ISPs can provide protection against these amplification attacks coming over UDP.
Penetration Testing Service Tailored to Your Organisation
You May Be Interested In These
