2014 – The rise and fall of the NTP Reflection Attack

Scott Barvick
By | May 21, 2014

Posted in: Enterprise DDoS Protection

I think the industry should set a goal to eliminate the NTP reflection attack before the end of 2014.   I’m talking about total eradication, and I’ll tell you why I think it is possible.  Although the ICS Cert was published in February of this year, the big news about NTP attacks started at the end of 2013, so it would be a real accomplishment if we can see its rise and fall within a single year.

We know that NTP reflection is a big problem; with 100+ Gbps attacks reported regularly and 400 Gbps attacks setting new DDoS records.  For those not so familiar with the technical details of the NTP reflection attack, see the Security Bistro’s NTP Reflection Attacks Video Blog for a nice explanation.  However, I’m talking about doing more than just stopping this attack at the edge of the customer network. I’d liSave Articleke to pose a challenge to this audience- Let’s work together to make this attack disappear completely.  The success of eliminating this threat would be the result of a collaboration of vendors working together, with their customers and other network operators to achieve Internet-wide elimination of a significant type of threat.  Who’s up for it?

I believe it is possible to go from 400 Gbps attacks to extinction in less than 1 year.   Primarily, because this attack is so simple it doesn’t really deserve to be such a problem.   Of course, there is elegance and effectiveness in simplicity (slowloris anyone?), but that only explains why it was able to ramp up so fast.   We should be able to take it down just as fast for the same reasons.  These are:

  • It is based on a protocol option that is obsolete and options to turn it off have been available for more than four years now  - this attack has an ‘off button’

  • Evasion is unlikely because the reflection and amplification come from standards-based system behavior – we don’t have to worry about ever-changing signatures

  • Every attacking packet carries the IP address of the legitimate server that is being used in the attack – we know who is being exploited and how to reach them

  • This attack very much plays upon the first ‘D’ in DDoS (distributed), and once a server is upgraded or has the option turned off, it will never participate in this attack again.   Future attacks will then be required to utilize a smaller and smaller set of servers, decreasing the overall potential of future attacks and increasing our ability to identify and shut them off.  We can ramp down faster by making this attack uninteresting before it is actually fully eradicated.

If we can all stand up to the challenge of eliminating NTP reflection attacks in the next 7 months, the next question is ‘sure Scott, but how do we get there?’   Corero takes steps to ensure that open servers inside our customers’ networks cannot contribute to attacks outside the network.  This is a step in the right direction, but vendors alongside Corero should be prepared to do the same. The simple answer is that we have to identify the participating servers and the networks they run on so that they can take the simple steps that can prevent them from contributing to further attacks.

Even though there are 1000s of vulnerable servers out there, we know exactly who they are. As mentioned above, in every packet in these attacks, possibly 400 Gbps worth of them, the source IP address is that of a legitimate, open NTP server.  While the Corero technology is knocking down the attack, we collect this source IP information (and so much more) for analysis and reporting.   A simple whois lookup on the source IP of the attacking packets, and we know who to send emails to about the size and frequency of attacks emanating from their networks. We know exactly who is vulnerable and where to apply patches.  And a ‘virtual patch’ is available.  While we protect networks, datacenters and hosting sites from inbound NTP monlist-response attacks, we are also simultaneously blocking any inbound monlist-request traffic attempting to leverage any downstream vulnerable NTP servers that have not yet been "patched".

I know it is easier to write the words than make them happen.  Perhaps with a little discussion, coordination and communication among us, that live and breathe the global threat landscape, we can get the word out to those who might not be aware of how they are enabling attacks on the very infrastructure they are serving.   One organization, the Open NTP Project, http://openntpproject.org, has already taken a great first step towards this same goal by offering a tool that anyone can use to confirm whether a subnet has NTP servers that are vulnerable to being used in attacks.   One idea is that we, as vendors watching the attacks as they occur, could support them by offering information we have on the open servers, and they, as a neutral party, could help in the communications to the operators of those networks.

I hope that I only have one more blog post to write about this attack.   At the end of 2014, I would like to look back at the year and note that we, as a united front against DDoS attacks and cyber threats identified, characterized, and mitigated these monumental threats, and worked together to close this chapter and enter it into the history books.
 

You May Also Be Interested In: