The number of vulnerable servers fell from 432,120 in December 2013 to 21,156 in March 2014, but there are still more than 17,000 vulnerable servers worldwide, according to security firm NSFOCUS.
Of these, 2,121 vulnerable NTP servers are believed to be capable of magnifying traffic by a factor greater than 700.
NTP servers are used to synchronise computer clocks, but attackers have been exploiting weaknesses in the system to flood targeted computers with data, effectively carrying out a denial of service attack.
The Network Time Protocol – like many other essential protocols that ensure the smooth running of the internet – is not secure, because it was designed and implemented without considering security.
The vulnerability lies in the fact that the amount of data the NTP sends back is bigger than the amount it receives.
Read more on DDoS attacks
- NTP-based DDoS attacks a concern, says Cloudflare
- Neustar to host first DDoS awareness day
- Thirteen plead guilty to Anonymous DDoS attack on PayPal
- DNS amplification, application-layer attacks drive DDoS attack trends
- DDoS attacks more than treble in the past year, report reveals
- Largest Bitcoin exchange reports heavy DDoS attack
- New threat portal pegs DDoS attacks at 2,570 a day
- DDoS attacks up in size, speed and complexity, study finds
The NTP contains a command called monlist which can be sent to an NTP server for monitoring purposes.
But it returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent, making it ideal for a DDoS amplification attack.
Another problem is that the attacking computer's location can also be "spoofed", tricking the NTP into sending the request response to a target computer.
Typically, many computers were used to make requests to the NTP but, by spoofing the location of these computers, attackers can direct large amounts of data from the NTP to a single target.
Such amplification attacks result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load from around the internet hitting a victim.
According to the NSFOCUS report, the decline in vulnerable servers indicates that many network and system administrators have taken the necessary steps to disable or restrict monlist functions.
However, the rest of the vulnerable servers need to be protected, the report said.
The US computer emergency response team (US-CERT) has advised system administrators to upgrade to version 4.2.7p26 or later of the NTP.
Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc – c monlist command while still allowing other status queries, the US-CERT said.
“As DDoS attacks continue to grow in number and impact, we are proud to help ISPs, hosting providers, datacentres and enterprises stay one step ahead of these kinds of ongoing attacks,” said Terence Chong, solutions architect at NSFOCUS.