During the last few months, we’ve seen an increased amount of NTP amplification attacks. It’s an attack technique, similar to the previous wave of DNS amplification attacks, mostly used by script kiddies (but also by black hats) to take sites/servers offline.
The technique behind of the attack is pretty simple; using public NTP servers, the attacker sends a request and spoof the source address. This makes NTP server respond to the the target server (instead of the real source). Using a large network of NTP servers, the vast volume of these responses will then likely knock the site/servers offline.
Unfortunately there are plenty of public NTP servers out there that are exposed to this vulnerability.
How do you protect yourself?
Protecting yourself from DDoS attacks in general is a tricky subject. At CloudSigma we already have DDoS mitigation built into our cloud. While that goes a long way, if you’re a high-profile target, you might also want to look into external services like CloudFlare for extra protection.
Secure your NTP servers!
If you’re running a public NTP server, you really need to make sure that you’re not exposed to this vulnerability. The easiest way to check this is to use the ntp-monlist plugin for Nmap and run a scan against your servers.
An easier solution is of course not to make your NTP servers public.
Further reading
If you want to learn more about this topic, the following articles might be a good starting point:
- Deep Inside a DNS Amplification DDoS Attack
- Biggest DDoS ever aimed at Cloudflare’s content delivery network
- Why can we not block DNS Amplification attack by blocking UDP packets or DNS response packet?
- Manage Docker resources with Cgroups - May 12, 2015
- Docker, Cgroups & More from ApacheCon 2015 - April 30, 2015
- How to setup & optimise MongoDB on public cloud servers - March 24, 2015
- Presentation deck from CloudExpo Europe - March 17, 2015
- CoreOS is now available on CloudSigma! - March 10, 2015