14 DAY TRIAL // Network Time Protocol (NTP) amplification distributed denial-of-service (DDOS) attacks are becoming more common and more powerful. That's why we’ve reached out to Marc Gaffan, co-founder of Incapsula, to find out more about such attacks.
Prior to founding Incapsula, Marc Gaffan was director of product marketing at RSA. Before that, he was the director of marketing for the consumer solutions business unit at RSA. While at RSA, he had presentations at the US Congress, FDIC and the FTC on cyber security and identity theft topics.
Gaffan holds a double major B.A. in Computer Science and Economics from Tel Aviv University and an M.B.A. from Recanati Graduate School of Business Administration.
Softpedia: Please share some technical details about attacks leveraging NTP. What are the steps taken by the cybercriminals who launch them?
Marc Gaffan: These attacks came from a very selectively herded bot net of NTP vulnerable servers. Many of them connected with very high network capacity, making this botnet able to produce volumes of hundreds of Gbps.
These botnets are typically herded and rented and many cases, such as this, could probably only be used once, before being detected as a malicious source. It’s pretty hard to generate such high bandwidth attacks without the hosting providers of these compromised servers noticing.
Softpedia: Cybercriminals come up with new ways to launch more and more powerful DDOS attacks. Can companies that provide DDOS mitigation services keep up? Is there any particular method that can be used to mitigate NTP amplification attacks?
Marc Gaffan: The best way to deal with such attacks is by “crowd sourcing” and sharing information about the originating IP addresses. These can be pushed to upstream networking providers or DDoS mitigation services that can use this information to block or null route the traffic originating from these sources instantly.
Softpedia: Have you found any evidence to suggest that the three DDOS attacks reported by CloudFlare, OVH and your company are linked in any way?
Marc Gaffan: We do not have any hard evidence but since the 3 attacks happened at the same time and used the same technique, we believe the same botnet and operator were involved.
Softpedia: Based on what you’re seeing, considering that a large number of alerts have been issued by security companies and CERTs, have organizations started taking steps to make sure their NTP servers are not abused for DDOS attacks?
Marc Gaffan: We do not track these statistics but once a vulnerable server is used in an attack, there is a high probability of it being shut down by the hosting provider which is a trigger for the owner to “clean up his/her act.”
Softpedia: Have NTP amplification attacks become more common than DNS amplification attacks?
Marc Gaffan: No, they are not more common that DNS amplification attacks. However, when used, they are typically fiercer than the DNS amplified attacks
Softpedia: Most of the advisories regarding NTP reflection attacks mention the abuse of the “monlist” command. Are there any other commands that are being abused by the attackers?
Marc Gaffan: Not really. The "monlist" query, which replies with the IPs of the last 600 hosts who have connected to the server, is the most effective known way in which NTP could be abused for DDoS amplification.
Softpedia: Most NTP reflection attacks haven’t lasted for a very long time. Is there a particular attack that lasted longer than others?
Marc Gaffan: These attacks are usually short, (30 - 60 minute range). Looking back on server logs from last 30 days we saw sever +120 minute incidents but nothing longer than that.
Softpedia: In most cases, do cybercriminals stop their attacks only when they realize that they’re no longer causing damage because of the steps taken by the mitigation services provider, or do they stop their attacks anyway at some point?
Marc Gaffan: Actually they don't. The attacks are usually pre-programmed or (in case of "Botnets for Hire") "pre-purchased."
Either way, most of the attacks we see continue past the point of mitigation and in some case they will go on for days, or even weeks. Some attacks never stop at all, creating a continues stress on our client's network resources.
Softpedia: Can NTP attacks cause other damage besides temporary disruption of services?
Marc Gaffan: No, but the downtime will probably be significantly longer than the actual attack duration.