NTP Amplification

What is an NTP Amplification Attack

NTP amplification is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted with User Datagram Protocol (UDP) traffic.

Network Time Protocol (NTP) is one of the oldest network protocols, and is used by Internet-connected machines to synchronize their clocks. In addition to clock synchronization, older versions of NTP support a monitoring service that enables administrators to query a given NTP server for a traffic count. This command, called “monlist,” sends the requester a list of the last 600 hosts that connected to the queried server.

In the most basic type of NTP amplification attack, an attacker repeatedly sends the “get monlist” request to an NTP server, while spoofing the requesting server’s IP address to that of the victim server. The NTP server responds by sending the list to the spoofed IP address.

This response is considerably larger than the request, amplifying the amount of traffic directed at the target server and ultimately leading to a degradation of service for legitimate requests.

Attack Description

NTP amplification is essentially a type of reflection attack. Reflection attacks involve eliciting a response from a server to a spoofed IP address. The attacker sends a packet with a forged IP address (the victim’s) and the server replies to this address.

NTP Amplification attack - 180Gbps and 50MppsIncapsula protects against a NTP amplification attack: 180Gbps and 50 million packets per second

Reflection attacks are dangerous. But they are even more dangerous when amplified. “Amplification,” in this context, refers to eliciting a server response that is disproportionate to the original packet request sent. In the case of NTP amplification, this refers to the size of the “monlist” as opposed to the size of the original packet.

In typical DNS amplification, the ratio of query size to response size is 70:1. This means that an attacker who controls 1 machine with 1Gbps could effectively direct 70Gbps of traffic toward the targeted server.

In an NTP amplification attack, the query-to-response ratio is anywhere between 20:1 and 200:1 or more. This means that any attacker that obtains a list of open NTP servers (e.g., by using tool like Metasploit or data from the Open NTP Project) can easily generate a devastating high-bandwidth, high-volume DDoS attack.

Methods of Mitigation

Like with many other DDoS threats, mitigation of NTP amplification attacks is challenging because the responses from the NTP servers are ostensibly legitimate traffic from valid servers.

Moreover, the sheer volume of DDoS traffic could easily overwhelm even the most resilient of network infrastructures. As a result, mitigation is achieved through a combination of overprovisioning and traffic filtering.

Incapsula protects against volumetric DDoS threats by leveraging its global scrubbing network, which scales on demand to absorb and deflect multi-10Gbps DDoS threats—including NTP amplification attacks.

Incapsula's proxy position ensures that DDoS traffic is filtered outside of the client's network, where it can't cause any harm to its target.

Learn more about Incapsula DDoS Protection services.