A study on NTP Distributed Denial of Service attacks.
In Easter 2013 we released an article documenting a 16.83gbit DDoS attack. This attack was based upon DNS amplification using UDP traffic that was targeting a Micron21 customer.
Since then, we have continued to battle the growing arms race of DDoS attacks towards our customers and the Australian networks which we protect. There has been a noticeable development of new attack vectors and protocols that have evolved around sophisticated, layer 7 HTTPS attacks along with NTP, SAD and SNMP reflection layer 3 flood attacks.
One thing for certain is that the forever increasing frequency of layer 3 'UDP flood' type of attacks targeting Australian networks is increasing both in size and duration. Equally alarming is the amount of layer 7 attacks that involve targeting specific applications, often consuming sometimes less than 1 or 2 packets per second but crafted to exploit specific weak elements in application layer software resulting in a denial of service to that particular application.
A few years ago, the thought of DDoS attacks targeted towards our network was frightening. I still remember the days of our Cisco routing platform becoming crippled as we felt first-hand the affects of a DDoS attack. In late 2009 this quickly led us to the conclusion that due to the requirements of our customers we needed a strategic plan in order to protect our network and the clients within it. Moving forward we then started building what today is our Network DDoS Protection platform designed to not only protect our network, but also to be able to protect other Australian Networks.
Powered by the combination of Brocade, A10, NSFOCUS and Juniper hardware we developed a Network DDoS Protection platform and since then we have not only become very comfortable with dealing with DDoS attacks, we have spent a lot of time analyzing each attack and understanding its behavior. This has allowed us to learn from each attack so that we can further improve and optimize our platform.
In March 2014 I wrote an article on the mechanics of NTP attacks and proposed how to recognize spoofed request entering your network by filtering for UDP packets 50 bytes in size with the pay load hex string of "\x17\x00\x03\x2a"."\x00"x4". By filtering request packets at the edge of your network you are essentially denying NTP servers within your network to participate in an attack even if you have servers which are susceptible to the 'monlist' vulnerability.
14.61gbit NTP Distributed Denial of Service attack.
Since early 2014 our DDoS Protection clients have also been on the receiving end of multiple NTP amplification and reflection attacks. An example of this is featured below, on the 23rd of April 2014, whereas a customer experienced a 9 minute reflection attack peaking at 14.61gbit worth of unwanted NTP attack traffic.
34.11gbit NTP Distributed Denial of Service attack.
However, on the 9th of July 2014 the heat was significantly turned up with an NTP reflection attack towards an Australian Network AS58940 (Exigent Enterprise) who has subscribed to our service via multiple Megaport VCX's in Melbourne, Sydney and Queensland where we successfully mitigated a 34.11 Gbit per second NTP reflection attack using our Soak and Scrub service. We absorbed the unwanted traffic within our network AS38880 and then were able to forward the clean traffic directly to Exigent Enterprise over Megaport for the entire range which was under attack.
This distributed reflection attack lasted 1 hour and 5 minutes and was a targeted attack utilizing a vulnerablity within NTP (Network Time Protocol) which is used for system time synchronization. The attacking servers were all vulnerable to monlist vulnerability and the attack was centered around unwanted spoofed UDP packets.
This attack was one of many attacks which occurred. Below is a list of the top 10 events over the course of 24 hours. On average we mitigate an average of 50 concurrent attacks.
NTP DDoS attacks are relatively cheap and easy attacks to launch using spoofed UDP based packets from a handful of hosts targeting vulnerable NTP servers across the world which together can magnify the payload data request significantly. 10 million packets per second.
Based on 700x amplification factor the 34.11gbit attack traffic would have been generated from about 50mbits of spoofed traffic that were requesting 'monlist' using the spoofed target IP address. These packets were sent towards approximately 10,900 NTP open relay servers. Nearly all of the source IP addresses (Participating NTP Servers) were captured and the packet rate reached 10 million packets per second or 600,000,000 packets per minute as per the below graph.
Australian Networks with NTP servers susceptible to Modlist Vulnerability.
Out of interest the following Australian Networks from 279 open NTP relays participated in the attack accounting for 103mbit of maximum domestic traffic over the course of the attack with a 95th percentile of 75mbits.
A detailed breakdown of the number of vulnerable Australian NTP servers within which contributed towards the 34.11gbit NTP attack on the 9th of July 2014 can be found in the below.
NTP Servers Australian ASN
- 79 ASN-TELSTRA Telstra Pty Ltd,AU (AU) (AS1221)
- 45 TPG-INTERNET-AP TPG Telecom Limited,AU (AU) (AS7545)
- 36 EXETEL-AS-AP Exetel Pty Ltd,AU (AU) (AS10143)
- 27 AAPT AAPT Limited,AU (AU) (AS2764)
- 19 MPX-AS Microplex PTY LTD,AU (AU) (AS4804)
- 18 AINS-AS-AP Australia Internet Solutions,AU (AU) (AS23871)
- 12 ASN-IINET iiNet Limited,AU (AU) (AS4802)
- 7 M2TELECOMMUNICATIONS-AU M2 Telecommunications Group Ltd,AU (AU) (AS38285)
- 7 SANITYTECHNOLOGY-AS-AU-AP Sanity Technology Pty Ltd,AU (AU) (AS24473)
- 6 AMNET-AU-AP Amnet IT Services Pty Ltd,AU (AU) (AS9822)
- 6 TCR-AP TCR Holdings Ltd,AU (AU) (AS9627)
- 3 DEDICATED-SERVERS-SYD-AS-AP Dedicated Servers - Sydney,AU (AU) (AS45425)
- 3 SPIN-INTERNET-AP Spin Internet Service,AU (AU) (AS18390)
- 2 INTERNETPRIMUS-AS-AP Primus Telecommunications,AU (AU) (AS9443)
- 1 WAWB-AS-AP WAWB Pty Ltd,AU (AU) (AS38657)
- 1 SELEMENTS-AU-SYD Service Elements,AU (AU) (AS45763)
- 1 ONQNETWORKS-AS-AP On Q Networks,AU (AU) (AS7594)
- 1 NCABLE-AP Neighbourhood Cable,AU (AU) (AS18371)
- 1 DATAFX-AS-AP Data FX Online Pty. Ltd.,AU (AU) (AS17766)
- 1 ASN-PLATFORM-AP Platform Networks Pty Ltd,AU (AU) (AS9482)
- 1 UTAS The University of Tasmania,AU (AU) (AS7573)
- 1 TEREDONN-AS-AP SkyMesh Pty Ltd,AU (AU) (AS7477)
- 1 RACK-CENTRAL-AS-AP RackCentral Networks,AU (AU) (AS58443)
Inside the Micron21 DDoS mitigation operation centre.
By proactively monitoring our Micron21 infrastructure and customers networks we can provide around the clock support adapting to threats dynamically as they occur with real-time visibility. Whilst large attacks occur the majority of attacks which we block are only a handful of packets.
Micron21 DDoS Portal for real-time visibility of attacks towards your infrastructure.
We provide all Micron21 customers with direct access to our DDoS Mitigation portals so you can view in real time all attacks and mitigated traffic to your infrastructure. Furthermore we provide you neflow information on your network for all return traffic.
Looking for more information on DDoS protection?
Our core DDoS Protection services include our scrubber service where we clean unwanted traffic which you directly send to us as a single /32 route and the second is our soak and scrub service where we advertise specific parts of your network and absorb the unwanted traffic forwarding the clean traffic directly. Find out more information about our protection services.
You can also find detailed Detailed Information describing Our Key Points of Differences for our Network DDoS Protection Services.