NTP Amplification DDoS Attacks Are Skyrocketing. Do You Have Your Defense System in Place?

Linda Musthaler
By | March 17, 2014

Posted in: ISP DDoS Protection , Hosting Provider DDoS Protection

In his recent “Attack of the Month Video Blog Series,” Stephen Gates talks about NTP reflective traffic as the latest technique being used to launch DDoS attacks against hapless victims. This is certainly something to pay attention to. Since the beginning of 2014, the number of attacks using this method has skyrocketed, largely because there is a new NTP reflection/amplification toolkit available in the underground world used by cybercriminals. Toolkits like this promote Cybercrime-as-a-Service and it appears that many attackers are buying.

NTP, which stands for Network Time Protocol, is a protocol that has been around for decades and it is ubiquitous on the Internet. It’s a mechanism that synchronizes the clocks on Internet-connected devices of every type—servers, routers, PCs, etc. It’s everywhere that you can imagine. This is another reason why it’s so easy to exploit.

NTP servers are subject to different kinds of abuse, one of which is to repeatedly query the server and have it send information to a target computer. The problem is that the traffic that is sent to the target computer in response to the original query is much larger than the size of the query itself. A simple 36 byte query can return a response of 22,000 bytes. A DDoS attacker spoofs the IP address of where the query appears to originate so that the massive response gets sent – unsolicited – to an unsuspecting victim. With enough queries, the responses can be totally overwhelming.

If the attacker uses a botnet to forge requests to an NTP server and have it respond back to a single target computer, this is a reflection attack. The “source” address is spoofed and it is set to the actual IP address of the targeted victim. When a vast number of large replies get sent to that victim computer, its systems get overwhelmed.

What makes this scenario a challenge to defend against is that the response traffic appears to be legitimate. Therefore a firewall will just let it pass through. It takes a much more sophisticated solution in front of the firewall to understand the nature of the attack traffic and block it. For recommendations on how to mitigate an NTP reflective/amplification attack, check out Stephen’s video here:


Even if your organization isn’t the targeted victim of this type of DDoS attack, you may be vulnerable as “collateral damage.” Because the traffic volume can be so large – observed attacks have reached 400 Gbps – it can completely overwhelm an ISP’s bandwidth if no mitigation solution is in place. For peace of mind, talk to your ISP to get assurance that the company has a proven solution to maintain availability in the event of an NTP reflective/amplification attack.

You May Also Be Interested In: