NTP Amplification DDoS Attack

The Network Time Protocol (NTP) is one of the oldest protocols still in use on the internet today. It was first used during the mid-1980s when it was created by the University of Delaware’s David L. Mills. Mills, who is widely recognized as an internet pioneer, sought to create an internet protocol (IP) that synchronizes the internal clock of a computer.

The NTP protocol has seen a great deal of abuse and misuse since its inception. This can arguably be traced back to the year 2002. In more recent times, a particular type of Distributed-Denial-of-Service (DDoS attack), which uses the NTP protocol, has become an ever-present threat. Though the idea of NTP amplification is not new, since the year 2014, hackers have successfully DDoS’d countless targets with it.

The most significant incident involving an NTP amplification DDoS was in 2014, where Cloudflare servers were directly targeted by a DDoS attack that alarmed even the CEO of the company (he called it “the start of ugly things to come”). At the time, at 400 Gbps, this was once of the largest DDoS attacks ever. For an attack to surprise a company known for strong DDoS protection, this should give you some idea of just how powerful NTP amplification can be.

As this is the case, it is vital for security professionals and leaders in charge of security policy to understand NTP amplification attacks. Though the attack has been overshadowed by other, more powerful attacks, it is still very much a threat. By the time you are finished reading this primer, you will not merely understand an NTP amplification DDoS attack, but also be able to defend against it.

What is an NTP Amplification Attack?

An NTP amplification DDoS attack, put simply, exploits public Network Time Protocol servers to overload a target with a botnet. For the uninitiated, a botnet is a set of machines (called “zombies”) that are used in a DDoS attack. They are controlled by the attacker using a Command-and-Control (C2) server and use their large numbers to overload a target. In the case of an NTP amplification, the DDoS occurs via the User Datagram Protocol (UDP). UDP does not require any response (like the TCP/IP three-way SYN-SYN/ACK-ACK handshake) to send packets. For this reason, it is easier to create a Denial-of-Service (DoS) situation that knocks a server or network offline.

The NTP amplification attack is possible due to a flaw in the design of the Network Time Protocol. NTP has an inherent monitoring service that allows sysadmins to check traffic counts of connected clients. Using the “get monlist” command, an attacker can leverage this monitoring service’s abilities to spoof their address to be that of the victim’s. For reference, “monlist” allows an administrator to see roughly 600 of the most recent clients to connect to the server.

What eventually happens is the UDP traffic overloads the server and renders it inoperable. The administrator is none the wiser as they see all the traffic as belonging to a legitimate user.

While this is a brief overview, it is necessary to understand the NTP DDoS attack step-by-step. Only then can individuals in charge of servers learn how to defend against it.

How does an NTP Amplification Attack Work?

A threat actor forms a botnet through the many methods available today (infecting various devices with malware is the most likely option).
The attacker then finds a publicly available NTP server and determines an IP address that it will accept as legitimate.
Using this IP address, the threat actor crafts spoofed UDP packets to be sent by the botnet zombie machines. Each UDP packet is loaded with the “get monlist” command.
The botnet then begins sending the UDP packets, and thanks to the combination of the constant influx of malicious traffic, the NTP server begins responding to an enormous amount of “get monlist” commands.
The NTP server quickly becomes overwhelmed in trying to respond to each malformed UDP packet.
The victim is knocked offline and any legitimate traffic is unable to get through.

How is an NTP Amplification Attack Mitigated?

The unfortunate reality with NTP amplification attacks is that there are very few ironclad solutions. A lot of this has to do with the age of the protocol. Older protocols are prone to exploitation on a greater scale simply because threats present in the 1980s have multiplied exponentially since then. We have computers with processing power that makes computers of old seem like primitive technology. When the internet went public in the mid-1990s, the idea of cellular phones like those we have today would be considered science fiction. With other smart devices all connecting to the Internet-of-Things, botnet creation is easier than ever before.

There are, however, some things that can be done to mitigate an NTP amplification DDoS attack. As was noted frequently throughout this report, the “monlist” command is key to exploiting an NTP server. Depending on the server used, it is possible to install a patch that disables the “monlist” command. The tricky thing with this is that the patch must be 4.2.7 or above. Many NTP servers are legacy servers and cannot support this patch. As such, there is another workaround that must be implemented for mitigation. On a public-facing NTP server, US-CERT recommends legacy systems input the “noquery” command to the “restrict default” system configuration. If executed properly, it will disable the “monlist” command.

These mitigation tactics may still not be enough. Depending on the size of your organization, it may be necessary to employ third-party services. Even the strongest networks can be crippled by a properly deployed botnet attack. As this is the case, a third-party service that can scatter network traffic may be necessary. It will then put the server load on more than just the targeted network, and instead take some of the heat off so that the spoofed traffic does not all reach the same server.

Cookie	Duration	Description
__stripe_mid	1 year	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid	30 minutes	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
Affiliate ID	3 months	Affiliate ID cookie
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Data 1	3 months
Data 2	3 months	Data 2
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
woocommerce_cart_hash	session	This cookie is set by WooCommerce. The cookie helps WooCommerce determine when cart contents/data changes.
XSRF-TOKEN	session	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__lc2_cid	2 years	This cookie is used to enable the website live chat-box function. It is used to reconnect the customer with the last agent with whom the customer had chatted.
__lc2_cst	2 years	This cookie is necessary to enable the website live chat-box function. It is used to distinguish different users using live chat at different times that is to reconnect the last agent with whom the customer had chatted.
__oauth_redirect_detector		This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
Affiliate ID	3 months	Affiliate ID cookie
Data 1	3 months
Data 2	3 months	Data 2
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_J2RWQBT0P2	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_12584548_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_UA-12584548-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjIncludedInSessionSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
PAPVisitorId	1 year	This cookie is set by the Post Affiliate Pro.This cookie is used to store the visitor ID which helps in tracking the affiliate.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_app_session	1 month	No description available.
_dc_gtm_UA-12584548-1	1 minute	No description
_gfpc	session	No description available.
71cfb2288d832330cf35a9f9060f8d69	session	No description
cli_bypass	3 months	No description
CONSENT	16 years 6 months 13 days 18 hours	No description
gtm-session-start	2 hours	No description available.
isoCode	1 month	No description available.
L-k26wU	1 day	No description
L-KVHA4	1 day	No description
m	2 years	No description available.
newVisitorId	3 months	No description
owner_token	1 day	No description available.
PP-k26wU	1 hour	No description
PP-KVHA4	1 hour	No description
RL-k26wU	1 day	No description
RL-KVHA4	1 day	No description
wisepops	2 years	No description available.
wisepops_session	session	No description available.
wisepops_visits	2 years	No description available.
woocommerce_items_in_cart	session	No description available.
wp_woocommerce_session_1b44ba63fbc929b5c862fc58a81dbb22	2 days	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

NTP Amplification DDoS Attack

What is an NTP Amplification Attack?

How does an NTP Amplification Attack Work?

How is an NTP Amplification Attack Mitigated?

Learn more about DDoS

What is the Golden Ticket

How it works: