Why are network time protocol amplification attacks more disruptive that other DDoS attacks?

aiden

Earlier this week, there was a DDoS attack on a Cloudflare customer that reached 400 gigabits per second and actually slowed network traffic across Europe. Apparently, it was a network time protocol amplification attack. What makes this type of attack so much more disruptive than other types of DDoS attacks?

Tags: DDoS
Topic: Security
Answer this Question

Answers

2 total
jimlynch
Vote Up (7)

US-CERT Warns of NTP Amplification Attacks
http://threatpost.com/us-cert-warns-of-ntp-amplification-attacks/103573

"US-CERT has issued an advisory that warns enterprises about distributed denial of service attacks flooding networks with massive amounts of UDP traffic using publicly available network time protocol (NTP) servers.

Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists is a classic set-and-forget feature and is used generally to sync clocks between servers and computers. The protocol is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification."

ehtan
Vote Up (6)

There is an article here on IT World about this attack that you might like to check out.

 

Here is a description of these types of attacks from US-CERT that you also might find useful:

"Recently, certain UDP protocols have been found to have particular responses to certain commands that are much larger than the initial request.  Where before, attackers were limited linearly by the number of packets directly sent to the target to conduct a DoS attack, now a single packet can generate tens or hundreds of times the bandwidth in its response.  This is called an amplification attack, and when combined with a reflective DoS attack on a large scale it makes it relatively easy to conduct DDoS attacks." 

Ask a question

Join Now or Sign In to ask a question.
The TOR Project thinks it has figured out how the author of a canceled Black Hat talk cracked its software to mask the source of Internet traffic, and it is working on a patch.
A ransomware threat that encrypts files stored on the SD memory cards of Android devices has been updated to target English-speaking users with FBI-themed alerts.
A vulnerability in a web-based graphics system led to a breach of The Wall Street Journal's network by a hacker, the newspaper acknowledged late Tuesday.
A company that specializes in selling information on software vulnerabilities has reignited a debate over the handling of such information, especially when it pertains to privacy-focused tools.
Developers of Tor software believe they've identified a weakness that was scheduled to be revealed at the Black Hat security conference next month that could be used to de-anonymize Tor users.
Email encryption startup Virtru has launched a version of its service for businesses using Google Apps, a market segment that the company thinks is showing increased interest in secure communications.
Researchers have concluded that those billions of connected devices could help save lives in the event of disaster, even one that knocks out the Internet
Goodwill Industries International said Monday federal authorities are investigating a possible payment card breach at its U.S.-based retail outlets.
A presentation on a low-budget method to unmask users of a popular online privacy tool, TOR, will no longer go ahead at the Black Hat security conference early next month.
Three stealthy tracking mechanisms designed to avoid weaknesses in browser cookies pose potential privacy risks to Internet users, a new research paper has concluded.

White Papers & Webcasts

Webcast On Demand

Transform Your IT Service Management

Sponsor: EasyVista

See more White Papers | Webcasts

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

randomness