A Network Time Protocol (NTP) amplification attack is a common type of Distributed Denial of Service (DDoS) attack that exploits misconfigured NTP servers and Internet Service Provider (ISP) networks to send a flood of Universal Datagram Protocol (UDP) traffic to a target, overwhelming its network, and causing service disruption.
For an example of a NTP amplification attack and how Vercara helped mitigate it, see our blog post, The Outage that Never Was.
NTP amplification and its role in DDoS attacks.
NTP is a UDP-based network protocol used to synchronize clocks between computer systems. It is a valuable service that helps with network functions such as cryptography, system log aggregation, and incident response.
Because UDP-based network protocols do not have a 2-way handshake like Transmission Control Protocol (TCP) based protocols, they can be used with source routing, or “spoofed” source Internet Protocol addresses if the network allows it. While Best Common Practice (BCP) 38, and Request for Comments (RFC) 2827 specify that networks should only allow network traffic to leave their network if it originated inside of their network, many network operators do not perform egress filtering to be compliant, and in doing so, they allow amplification attacks. In an amplification attack, an attacker can use this capability to spoof the source IP address of their target, send a time request to an NTP server, and the server will reply to the target with the NTP response. Since the reply is bigger than the request, this increases the amount of bandwidth available to the attacker.
In a variant of NTP amplification attacks, attackers exploit a misconfiguration on NTP servers which allow the “monlist” command without an Access Control List (ACL). That is, any computer on the Internet is allowed to run monlist on the NTP server. This command returns a list of the last 600 clients that accessed the server. This is a much larger response than the initial request and amplifies the traffic by up to 5570%.
Impact of NTP amplification attacks on businesses.
Because NTP amplification is a type of DDoS attack, its impact on businesses is like other DDoS attacks.
For more information, see our blog post, Understanding DDoS Attacks: What is a DDoS Attack and How Does it Work?
Service disruption and downtime.
An NTP amplification DDoS attack can cause significant service disruption and downtime. During such attacks, the flood of traffic overwhelms the business’s network infrastructure, rendering services unavailable to both internal and external users. Critical systems, websites, and online services may become inaccessible, resulting in lost productivity and revenue. Prolonged downtime can damage customer trust and affect business operations, especially for organizations that rely on continuous availability, such as e-commerce platforms or financial institutions.
Financial losses.
NTP amplification attacks can lead to significant financial losses. This includes lost revenue from downtime, costs associated with hiring specialized cybersecurity firms, deploying DDoS protection services, and potential penalties for breaching service level agreements (SLAs). Failing to meet industry regulations on uptime and security can lead to even greater financial penalties.
Reputation damage.
Repeated or severe NTP attacks can harm a company’s reputation. Customers and partners may lose confidence in the organization’s ability to protect its services or data. Publicly reported outages can lead to long-term reputational damage, especially in industries where reliability and security are critical, such as healthcare, finance, or retail.
Increased operational costs.
Businesses may face increased operational costs as they work to prevent or respond to NTP amplification attacks. This may involve upgrading network infrastructure, investing in additional security tools, or contracting external DDoS mitigation services. The labor required to address these attacks diverts Information Technology resources from other critical business functions.
Data breaches and security risks.
In some cases, NTP amplification or other DDoS attacks are a deliberate attempt to get the target to reduce their boundary protections because they frequently fail under a large traffic load. And while IT teams are busy mitigating the flood of traffic, attackers may exploit other vulnerabilities to access sensitive data. This poses risks to intellectual property and could lead to compliance violations and fines if customer data is compromised.
Long-term consequences.
Beyond the immediate impact, businesses affected by NTP amplification attacks may face long-term consequences. The need to implement stronger NTP amplification attack prevention measures, such as properly configuring NTP servers, often requires a substantial investment. Failing to do so leaves businesses vulnerable to future attacks, further eroding trust, financial stability, and market position.
Mitigating and preventing NTP amplification attacks.
To prevent NTP amplification attacks, network administrators can take several key steps:
- DDoS mitigation services: Deploy DDoS mitigation solutions like scrubbing centers to filter out malicious traffic before it impacts the network.
- Proactive NTP amplification filters: Using a network ACL or a pre-configured filter that block NTP traffic blocks NTP amplification attacks before they occur.
- Disable the monlist command on NTP servers: This vulnerable command should be disabled to mitigate attacks.
- Rate limiting: Implement rate-limiting on NTP servers to prevent excessive response traffic.
- Regular scans: Conduct vulnerability scans to identify and secure vulnerable NTP servers in your network.
- Testing: Perform an NTP amplification attack test to ensure the organization’s defenses are effective.
- Implementing BCP 38. Performing egress filtering to only allow packets to leave your network if the source is inside of your network can eliminate the risk of your network being used in an amplification attack.
By following these steps, businesses can significantly reduce the risk of falling victim to or being used in NTP amplification DDoS attacks, ensuring their networks remain secure and stable.
How Vercara can help.
Vercara’s DDoS mitigation solution, UltraDDoS Protect, is designed and built to mitigate the effects of NTP amplification attacks and other DDoS attacks against your networks and services. UltraDDoS Protect has over 15 Tbps of dedicated DDoS traffic ingest and is operated by a 24/7 Security Operations Center. Traffic is diverted to UltraDDoS Protect via Border Gateway Protocol (BGP) announcements or DNS resource records.
Vercara’s other platforms such as our authoritative managed DNS platform, UltraDNS, and our Web Application Firewall service, UltraWAF, are protected by distributed points of presence, anycast IP networking, and by the DDoS mitigation capabilities of UltraDDoS Protect.
Vercara provides comprehensive DDoS protection, including solutions for NTP amplification attack mitigation. DDoS mitigation, egress filtering, and properly configured NTP servers are essential to defending against NTP amplification attacks and similar threats.
