More action needed to stop NTP DDoS attacks, says report

Action is needed to reduce the number of Network Time Protocol servers vulnerable to being abused to carry out distributed denial of service attacks

More needs to be done to reduce the number of Network Time Protocol (NTP) servers vulnerable to being abused to carry out distributed denial of service (DDoS) attacks, a report says.

The number of vulnerable servers fell from 432,120 in December 2013 to 21,156 in March 2014, but there are still more than 17,000 vulnerable servers worldwide, according to security firm NSFOCUS.

Of these, 2,121 vulnerable NTP servers are believed to be capable of magnifying traffic by a factor greater than 700.

NTP servers are used to synchronise computer clocks, but attackers have been exploiting weaknesses in the system to flood targeted computers with data, effectively carrying out a denial of service attack.

The Network Time Protocol – like many other essential protocols that ensure the smooth running of the internet – is not secure, because it was designed and implemented without considering security.

The vulnerability lies in the fact that the amount of data the NTP sends back is bigger than the amount it receives.

The NTP contains a command called monlist which can be sent to an NTP server for monitoring purposes.

But it returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent, making it ideal for a DDoS amplification attack.

Another problem is that the attacking computer's location can also be "spoofed", tricking the NTP into sending the request response to a target computer.

Typically, many computers were used to make requests to the NTP but, by spoofing the location of these computers, attackers can direct large amounts of data from the NTP to a single target.

Such amplification attacks result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load from around the internet hitting a victim.

According to the NSFOCUS report, the decline in vulnerable servers indicates that many network and system administrators have taken the necessary steps to disable or restrict monlist functions.

However, the rest of the vulnerable servers need to be protected, the report said.

The US computer emergency response team (US-CERT) has advised system administrators to upgrade to version 4.2.7p26 or later of the NTP.

Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc – c monlist command while still allowing other status queries, the US-CERT said. 

“As DDoS attacks continue to grow in number and impact, we are proud to help ISPs, hosting providers, datacentres and enterprises stay one step ahead of these kinds of ongoing attacks,” said Terence Chong, solutions architect at NSFOCUS.

Read more on Network security management