Several online gaming sites were recently hit by distributed denial-of-service (DDoS) attacks that used a new type of assault on the victims: a Network Time Protocol Amplification Attack.
Such attacks rely on the use of publicly accessible NTP servers to overwhelm a victim system with UDP traffic, according to the US CERT site.
"It's the first time I've ever seen volumetric NTP at noteworthy levels," says Shawn Marck, CEO at Black Lotus, which provides DDoS mitigation services, adding his impression is that the DerpTrolling group, which took credit for the attack, is doing this mainly for the kicks they get in disrupting online games like War of Wizard and Steam.
"The NTP attack worked pretty well," said Barrett Lyon, founder of anti-DDoS service Defense.net. It had been known that an attacker could manipulate an NTP server to generate attack traffic against a target, but DerpTrolling's denial-of-service hits in early January are regarded as dangerous proof of a new DDoS attack vector.
US CERT issued an advisory on NTP amplification attacks on Jan. 10, stating the exploitation of these servers was caused by vulnerabilities left unpatched. But Lyon sees a different problem. He says the older NTP servers simply can't prevent the type of exploitation carried out in NTP Amplification attacks because older NTP gear doesn't support processes such as rate-limiting that might prevent it.
NTP servers are "forgotten pieces of infrastructure" that almost no one thinks about — until something like this new example of a DDoS attack comes along, says Lyon, an industry veteran who also founded anti-DDoS security firm Prolexic Technologies, which was just acquired by Akamai.
It's not just the old infrastructure but the latest new mobile devices are being exploited by attackers to launch DDoS attacks.Today, Prolexic issued its quarterly global DDoS attack report, noting that even Android-based mobile devices are being spotted as instruments to launch DDoS attacks.
In the report, Prolexic says its response team "uncovered evidence of the use of mobile applications launching DDoS attacks against enterprise clients, including one of the world's largest financial firms." Prolexic says signatures matching AnDOSid, a DDoS attack tool for Android devices, were observed in DDoS attack campaigns.
While use of mobile devices to launch DDoS attacks is still considered unusual, there's no reason to think it might not grow, Prolexic points out. In its report, Prolexic also notes the rise of NTP as an attack vector.
"The NTP protocol is implemented in all major operating systems, network infrastructure devices, and embedded devices. By using UDP, NTP is subject to spoofing. In addition, misconfiguration of network equipment can allow enterprise infrastructure to be used as an unwilling participants in a DDoS attack. This can be achieved by responding to requests for NTP updates and directing the response to the victim host and overwhelming it with NTP traffic."
Sign up for Computerworld eNewsletters.