Cybercriminals Abuse Network Time Protocol for DDOS Attacks

NTP reflection DDOS attacks

DNS amplification distributed denial-of-service (DDOS) is not the only type of efficient DDOS attack. Over the past days, researchers have spotted Network Time Protocol (NTP) reflection attacks being launched by cybercriminals.

They are abusing poorly configured servers to launch cyberattacks against the systems of various organizations

On December 16, the number of IPs involved in such attacks peaked at almost 15,000. This is a considerable increase, taking into account that before December 7, the IP count was less than 1,000.

NTP is used to synchronize time between various devices within a network. Since it’s not an important protocol, network administrators often neglect to upgrade it and configure it properly.

According to experts from Symantec, NTP can be a highly efficient DDOS tool. That’s because an attacker can send a small forged request to which the server responds with a large amount of data.

In particular, cybercriminals appear to be using the “monlist” command. The command can be utilized as a reconnaissance tool, which helps attackers build the profile of a network. However, it can also be used for DDOS attacks because it can redirect megabytes of traffic to a targeted IP address with only a small query.

“Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module,” Symantec researchers noted in a blog post.

Organizations that want to make sure that their systems are not abused for DDOS attacks, can upgrade NTP to version 4.2.7, which no longer includes the “monlist” command.

Alternatively, administrators can enable “noquery” in the configuration file to disable access to certain query packets, including those that contain the “monlist” command.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s