Enter NTP – Hackers new favorite weapon

Lately, the DDoS world record was broken (again). An unprecedented scale Cyber-attack of 400Gbps symbolizes the rise of using the favorite NTP protocol for attacks.

What could be described as a continuation of a disturbing trend, in recent days we have witnessed attacks that become much stronger from multiple various factors on the internet, especially during the last week.

The current assault is a huge step-up attack compared to an earlier large attack that was identified last year, which was at rate of “only” 300Gbps – an attack that can affect every international organization, and sometimes even neutralize them. Last year the effects of the attack was felt by many users in North America, which reported slowdowns in streaming services such as Netflix and others.

To understand the importance of the attack and some of its implications, it is important to understand its essence. DDoS attacks (Distributed Denial of Service) is a sub-type of DoS attack (Denial of Service). As part of a regular DoS attack, a  terminal connected to the Internet posts bits of information to a particular IP address that was pre-selected as a target. The terminal can be a laptop, desktop, smartphone or any other internet-connected device. These pieces do not contain any important or relevant information, but their role is simply to engage the target server, and if enough pieces are sent, the server will have no choice but to ignore requests from regular users. For them, the site would look like inoperative, although it is still there and working normally in the background.

Dealing with DoS attack is relatively simple, because once the IP address of the attacker is identified, it can be blocked, which usually is enough to end the effect of the attack on the server. That is where DDoS attack comes in, in which attackers can use hundreds of thousands of source point devices in parallel, so that it is very difficult to block them by identifying and blocking specific IP addresses.

The last attack involved using NTP (Network Time Protocol) to flood the target server. This use has been identified and reported publicly for the first time last year. Repeated use of this protocol is a warning sign to security professionals around the world, since it is now clear that the use of this protocol was not a single event, and it is critical to prepare better protection of essential services accordingly.

To enhance the impact of the current attack, attackers have used what is called “Reflection Attack”, in which the attacker does not attack the target computer directly, but sends a query to unrelated third party devices, pretending as the target computer. The third-party devices identify the IP of the applicant (which is disguised as the target computer), and naturally send the response to the target computer. That way attackers further complicate their identification, by exploiting the structure of the NTP protocol.

The choice in NTP is not accidental. The protocol allows sending short queries, which a much more significant long reply would be sent in response. So, you can imagine the consequences of the enormous quantity of data sent towards the attacked computers from all the third-party devices that unwillingly participated in this attack, whether those servers are Gmail, Netflix, your website storage company or the company that stores your blogs.