NTP Amplification Attacks, a simple but effective DDoS.

In this post, we will explore NTP amplification attacks. This will not be a technical deep dive, but rather a high level overview of how these attacks work. For a more technical review, I recommend reading this post by Cloudflare.

What is NTP?

In order to understand how NTP amplification attacks work, we must first learn what NTP is. NTP, or Network Time Protocol, is a networking protocol used to synchronize the clocks on computers across a network. It ensures that all devices in the network are synchronized to the same time. It is one of the oldest internet protocols still in use today, and has been around since 1985. It works by having clients send requests to time servers. The server’s response packet includes a precise timestamp and additional data. The client uses this information, along with timestamps from when the request was sent and received, to calculate any network delay. This calculation allows the client to adjust its own clock to match the server’s time as closely as possible, achieving synchronization across systems.

How an NTP Amplification Attack Works

From a high level, the attack begins with a spoofed NTP request, sent to a NTP server with the MONLIST command enabled. The ‘spoofed’ part of the request is the source IP address, which is made to appear as the target’s IP address. The MONLIST request returns a list of the last 600 hosts that the NTP server has interacted with. This response is much larger than the original request, and instead of being sent back to the attacker, it is sent to the target IP which was spoofed in the request. That is where the ‘amplification’ part of the attack comes in. Small requests are turned into large responses, which are routed to the target. With enough of these requests, the target will be overwhelmed with traffic, leading to a Denial of Service. The ‘amplification factor’ of an NTP amplification attack is the factor by which the size of the response is larger than the size of the request. This can vary, but if the MONLIST request is fully populated with 600 hosts, the response will be 206 times larger than the original request.

We can see an example of this attack being used in the real world in this blog post from Cloudflare: Technical Details Behind a 400gbps NTP Amplification DDoS Attack.

Using tools like Censys, a simple search for services.service_name: "NTP" AND services.port: 123 shows us that there are over 6 million NTP servers out there. An attacker can easily use this to collect a list of NTP servers that are still vulnerable to being used in an NTP amplification attack. In order to protect against this, NTP servers should have the MONLIST command disabled, and should be kept up to date with the latest security patches.

Summary

NTP Amplification attacks are a simple but effective way to cause a Denial of Service. While most NTP servers these days are not vulnerable to this attack, it is still quite an interesting method to know about. Amplification based attacks can be scary, as they usually do not require the attacker to have much in the way of resources in order to carry out an attack that has potentially devastating effects. As a Cybersecurity professional, it is important to be aware of these types of attacks, and to know how to protect against them.