Network Time Protocol Abused in DDOS Attacks on Gaming Servers

Statistics on NTP reflection attacks

In December 2013, Symantec warned that cybercriminals were increasingly abusing the Network Time Protocol (NTP) for distributed denial-of-service (DDOS) attacks. Experts say that this type of attack was also used to disrupt popular online gaming services in the first days of 2014.

The list of targeted games includes World of Tanks, League of Legends, Free Realms, DC Universe Online, PlanetSide 2 and Everquest. Companies like EA, Sony, Blizzard, Valve and Microsoft have been impacted by the attacks launched by a group called DERP Trolling.

Shawn Marck, the CEO of DOS protection solutions provider Black Lotus, has told Ars Technica that attacks abusing NTP were rarely heard of until December 2013. Up until recently, DNS-amplification attacks, which abuse open DNS resolvers, have been used to amplify DDOS attacks.

“What we’re witnessing is a shift in methodology,” Marck said.

Interestingly, at the start of 2014, NTP reflection attacks accounted for around 69% of attack traffic by volume. The average size of the NTP attacks was 7.3 Gbps. However, Black Lotus believes the DERP group has a maximum capacity of around 28 Gbps.

On the positive side, attacks that abuse NTP are much easier to mitigate compared to other types of DDOS attacks because the targets can filter out the packets coming their way.

Victims of such cyberattacks can rely on service-based approaches, or they can utilize traffic policers to limit the NTP traffic that enters their network.

In its advisory, Symantec has noted that in many cases, the attackers abuse the “monlist” command, which enables them to redirect a large amount of traffic to a targeted IP address with a small query. However, upgrading NTP to version 4.2.7 is the easiest way to prevent such attacks, because this variant doesn’t contain the command in question.

NTP has often been neglected by system administrators because it’s not such an important protocol. Now that it’s being abused for DDOS attacks, companies should start paying more attention to it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s