NTP DDoS Kenny William Aditya 1601249236
NTP-based DDoS Attack
DDoS Definition
DDoS attack (Distributed Denial-of-Service) is an action carried out with purpose of interrupting a server or internet resource to respond to its users. In DDoS attack, there are more than two persons or bots which attack the victim, by flooding the server with forged request, causing the server unable to respond to the actual request. In NTP-based DDoS attack, the attack is done with the help of open NTP server.
What?
NTP (Network Time Protocol) is used for time synchronization between computer and other devices connected to the internet. NTP mostly used simple UDP, instead of the more secured TCP. UDP is a connection-less protocol, that does not need handshaking, and verification to establish transmission (Techwriters Future, 2009). This made NTP vulnerable to be abused by hacker for DDoS attack. Since most computer currently use NTP for synchronizing time, NTP is accepted by most computer.
When, Who, Where?
NTP-based DDoS attack has grown from 2013, and publicly spread out in January 2014 by CloudFlare, a website security company (Graham-Cumming, 2014). According to them, they have succeeded on mitigating a 400 Gbps NTP-based DDoS attack against one of their customer’s website (Prince, 2014). This indicate NTP-based DDoS attack can be very powerful since most powerful DDoS attack previously recorded is around 300 Gbps (Constantin, 2013). The source of attack came from multiple network with unsecured NTP servers, which abused by the attacker. Most of the network that contribute on the attack came from China, followed by Europe and Asia (CloudFlare, 2014).
How and Why?
NTP-based DDoS attack use amplification technique, same like DNS-based DDoS attack. The attacker sent a request to open NTP server with forged source IP address. This technique called, spoofing IP address. The forged IP address is actually belongs to the victim that targeted by the attacker, which leads to the NTP server send respond to the victim. To make
DDoS Definition
DDoS attack (Distributed Denial-of-Service) is an action carried out with purpose of interrupting a server or internet resource to respond to its users. In DDoS attack, there are more than two persons or bots which attack the victim, by flooding the server with forged request, causing the server unable to respond to the actual request. In NTP-based DDoS attack, the attack is done with the help of open NTP server.
What?
NTP (Network Time Protocol) is used for time synchronization between computer and other devices connected to the internet. NTP mostly used simple UDP, instead of the more secured TCP. UDP is a connection-less protocol, that does not need handshaking, and verification to establish transmission (Techwriters Future, 2009). This made NTP vulnerable to be abused by hacker for DDoS attack. Since most computer currently use NTP for synchronizing time, NTP is accepted by most computer.
When, Who, Where?
NTP-based DDoS attack has grown from 2013, and publicly spread out in January 2014 by CloudFlare, a website security company (Graham-Cumming, 2014). According to them, they have succeeded on mitigating a 400 Gbps NTP-based DDoS attack against one of their customer’s website (Prince, 2014). This indicate NTP-based DDoS attack can be very powerful since most powerful DDoS attack previously recorded is around 300 Gbps (Constantin, 2013). The source of attack came from multiple network with unsecured NTP servers, which abused by the attacker. Most of the network that contribute on the attack came from China, followed by Europe and Asia (CloudFlare, 2014).
How and Why?
NTP-based DDoS attack use amplification technique, same like DNS-based DDoS attack. The attacker sent a request to open NTP server with forged source IP address. This technique called, spoofing IP address. The forged IP address is actually belongs to the victim that targeted by the attacker, which leads to the NTP server send respond to the victim. To make
References: CloudFlare. (2014, February). Retrieved from https://docs.google.com/spreadsheet/ccc?key=0AhuvvqAkGlindHFtS0pJa0lYZGNlLXNONWtlY01qanc&usp=sharing#gid=0 Constantin, L. (2013, March). Retrieved from InfoWorld: http://www.infoworld.com/article/2613446/internet/ddos-attack-against-spamhaus-was-reportedly-the-largest-in-history.html Graham-Cumming, J. (2014, January). Retrieved from CloudFlare: http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/ Postel, J. (2002, May). Retrieved from ietf: http://tools.ietf.org/html/rfc347 Prince, M. (2014, February 13). Retrieved from CloudFlare: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/ S.Taher, B. A. (2013, December). Retrieved from Internet Storm Center: https://isc.sans.edu/diary/NTP+reflection+attack/17300 Stenn, H. (2014, November). Retrieved from NTP: http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using Techwriters Future. (2009). UDP. Retrieved from IPV6: http://ipv6.com/articles/general/User-Datagram-Protocol.htm US-CERT. (2014, January). Retrieved from US-CERT: https://www.us-cert.gov/ncas/alerts/TA14-017A