T : +(603) 7806 3550   |   F : +(603) 7806 5586

Monday 24 March 2014

Understanding NTP-based DDoS attacks

Recently you might have heard of a new tool in the DDoS arsenal: NTP-based attacks. Recently becoming popular causing trouble for some gaming websites and service providers. 

This post explains how an NTP-based attack works and how web site owners can help mitigate them. EVERWORKS helps to defend web sites against DDoS attacks by making configuration changes to firewalls and NTP servers. Doing so makes the web safer for everyone. 


A Distributed Denial of Service (DDoS) Attack is an attempt to get an online service unavailable by overwhelming it with a large amount of traffic from various sources. Normally targeting high profile targets and proves challenging for people to access and publish information.

DDoS Protection - EVERWORKS & Prolexic: EVERWORKS together with Prolexic have been working since 2008 to provide a solution for DDoS in Malaysia.

Results: EVERWORKS x Prolexic has successfully prevented 6Gbps of DDoS attack on colocation clients in Malaysia. (Their IP addresses, hidden behind Prolexic's Proxy Server/Scrubbing Center)

Prolexic Technologies is the world's leading DDoS protection and mitigation provider. Protecting and restoring mission-critical, Internet-facing infrastructures for global enterprises and government agencies.

Reflection attack

A reflection attack works when an attacker can send a packet with a forged source IP address. The attacker sends a packet from the intended victim to a server on the Internet, that replies immediately. The source IP address is forged, causing the remote Internet server to reply and send data to the victim.

This has two (2) effects:

  1. The actual source of the attack is hidden
  2. 'If' many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

Network Time Protocol attacks: as easy as (UDP port) 'abc'.

NTP is the Network Time Protocol that is used by machines connected to the Internet to set their clocks. 

Unfortunately, this simple NTP protocol is vulnerable to amplification attacks because it will reply to a packet with a spoofed source IP address. That makes it DDoS ready!

Avoid this problem

If you are running a normal NTP program to set the time on your server, you need to know how to configure to protect your machine.

Here are two (2) Secure NTP Template that from what I have read seems to be good:

  1. Enisa's Secure NTP Template
  2. Team Cymru's Secure NTP Template (This shows how to secure the NTP client on Cisco IOS, Juniper JUNOS or using iptables on a Linux system.)


This is a very brief update on NTP-based DDoS attacks, if there are more in-depth explanations or solutions please feel free to share it with us.

Additional Reading: If you are concerned on DDoS attacks you might also be concerned about SQL Injection. Find out if you Are Vulnerable to SQL Injection.


Post a Comment

Related Posts Plugin for WordPress, Blogger...