DNS amplification distributed denial-of-service (DDOS) is not the only type of efficient DDOS attack. Over the past days, researchers have spotted Network Time Protocol (NTP) reflection attacks being launched by cybercriminals.
They are abusing poorly configured servers to launch cyberattacks against the systems of various organizations
On December 16, the number of IPs involved in such attacks peaked at almost 15,000. This is a considerable increase, taking into account that before December 7, the IP count was less than 1,000.
NTP is used to synchronize time between various devices within a network. Since it’s not an important protocol, network administrators often neglect to upgrade it and configure it properly.
According to experts from Symantec, NTP can be a highly efficient DDOS tool. That’s because an attacker can send a small forged request to which the server responds with a large amount of data.
In particular, cybercriminals appear to be using the “monlist” command. The command can be utilized as a reconnaissance tool, which helps attackers build the profile of a network. However, it can also be used for DDOS attacks because it can redirect megabytes of traffic to a targeted IP address with only a small query.
“Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module,” Symantec researchers noted in a blog post.
Organizations that want to make sure that their systems are not abused for DDOS attacks, can upgrade NTP to version 4.2.7, which no longer includes the “monlist” command.
Alternatively, administrators can enable “noquery” in the configuration file to disable access to certain query packets, including those that contain the “monlist” command.