A warning from the United States Computer Emergency Readiness Team (US-CERT) announces an increase in Distributed Denial-of-Service (DDoS) attacks that “leverage the Network Time Protocol (NTP) to amplify the attack volume“, according to a recent article published by EWeek. US-CERT outlined how DDoS attacks can take multiple shapes as “those who commit them leverage different techniques to drown Websites under a flood of traffic“, as the article indicates.
As clarified in the article, “NTP is a widely deployed Internet protocol that is primarily used as a time-keeping technique for clock synchronization” – but according to this report, attackers are not simply “requesting the time from an NTP server to execute DDoS attacks.” The article states that the invaders are “abusing a feature in NTP that enables administrators to query an NTP server” – via a monlist command – to gain information on “connected clients and their traffic counts.”
According to this report, the US-CERT continues to warn by saying, “This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim.” In addition, the article also quotes the US-CERT warning to say that “since NTP traffic is typically considered legitimate, it can be difficult for administrators to block the attack.”
Read more details about the US-CERT warnings, other vulnerabilities and comments from industry experts regarding the mechanics of these attacks in the full article at EWeek.