34 Gbps NTP DDoS Attack

09 Apr 2014, Security by Micron21

NTP Distributed Denial of Service attack : Local Australian DDoS Protection

Last Easter 2013 we released an article (here) documenting a 16.83gbit DDoS attack. This attack was based upon DNS amplification using UDP traffic that was targeting a Micron21 customer.

Since then, we have continued to battle the growing arms race of DDoS attacks towards our customers and the Australian networks which we protect. There has been a noticeable development of new attack vectors and protocols that have evolved around sophisticated, layer 7 HTTPS attacks along with NTP, SAD and SNMP reflection layer 3 flood attacks.

One thing for certain is that the forever increasing frequency of layer 3 'UDP flood' type of attacks targeting Australian networks is increasing both in size and duration. Equally alarming is the amount of layer 7 attacks that involve targeting specific applications, often consuming sometimes less than 1 or 2 packets per second but crafted to exploit specific weak elements in application layer software resulting in a denial of service to that particular application.

A few years ago, the thought of DDoS attacks targeted towards our network was a frightening. I still remember the days of our Cisco routing platform becoming crippled as we felt first-hand the affects of a DDoS attack. In late 2009 this quickly led us to the conclusion that due to the requirements of our customers we needed a strategic plan in order to protect our network and the clients within it. Moving forward we then started building what today is our Network DDoS Protection platform designed to not only protect our network, but also to be able to protect other Australian Networks.

Powered by the combination of Brocade, A10, NSFOCUS and Juniper hardware we developed a Network DDoS Protection platform and since then we have not only become very comfortable with dealing with DDoS attacks, we have spent a lot of time analyzing each attack and understanding its behavior. This has allowed us to learn from each attack so that we can further improve and optimize our platform.

In March 2014 I wrote an article (here) on the mechanics of NTP attacks and proposed how to recognize spoofed request entering your network by filtering for UDP packets 50 bytes in size with the pay load hex string of "\x17\x00\x03\x2a"."\x00"x4". By filtering request packets at the edge of your network you are essentially denying NTP servers within your network to participate in an attack even if you have servers which are susceptible to the 'monlist' vulnerability.

14.61gbit NTP Distributed Denial of Service Attack

Since early 2014 our DDoS Protection clients have also been on the receiving end of multiple NTP amplification and reflection attacks. An example of this is featured below, on the 23rd of April 2014, whereas a customer experienced a 9 minute reflection attack peaking at 14.61gbit worth of unwanted NTP attack traffic.

34.11gbit NTP Distributed Denial of Service Attack

However, on the 9th of July 2014 the heat was significantly turned up with an NTP reflection attack towards an Australian Network AS58940 (Exigent Enterprise) who has subscribes to our service via multiple Megaport VCX’s in Melbourne, Sydney and Queensland where we successfully mitigated a 34.11 Gbit per second NTP reflection attack using our Soak and Scrub service. We absorbed the unwanted traffic within our network AS38880 and then were able to forward the clean traffic directly to Exigent Enterprise over Megaport for the entire range which was under attack.

Multiple Attacks

This distributed reflection attack lasted 1 hour and 5 minutes and was a targeted attack utilizing a vulnerablity within NTP (Network Time Protocol) which is used for system time synchronization. The attacking servers were all vulnerable to monlist vulnerability and the attack was centered around unwanted spoofed UDP packets.

This attack was one of many attacks which occurred. Below is a list of the top 10 events over the course of 24 hours. On average we mitigate an average of 50 concurrent attacks.

NTP DDoS attacks are relatively cheap and easy attacks to launch using spoofed UDP based packets from a handful of hosts targeting vulnerable NTP servers across the world which together can magnify the payload data request significantly.

10 Million Packets Per Second

Based on 700x amplification factor the 34.11gbit attack traffic would have been generated from about 50mbits of spoofed traffic that were requesting 'monlist' using the spoofed target IP address. These packets were sent towards approximately 10,900 NTP open relay servers. Nearly all of the source IP addresses (Participating NTP Servers) were captured and the packet rate reached 10 million packets per second or 600,000,000 packets per minute as per the below graph.

Australian Networks with NTP servers susceptible to Modlist Vulnerability

Out of interest the following Australian Networks from 279 open NTP relays participated in the attack accounting for 103mbit of maximum domestic traffic over the course of the attack with a 95th percentile of 75mbits.

A detailed breakdown of the number of vulnerable Australian NTP servers within which contributed towards the 34.11gbit NTP attack on the 9th of July 2014 can be found in the below table.

See it for yourself.

Australia’s first Tier IV Data Centre
in Melbourne!

Speak to our Australian based team.

24 hours a day, 7 days a week
1300 769 972

Sign up for the Micron21 Newsletter