http://www.prolexic.com/knowledge-center-ddos-threat-advisory-ntp-amplification.html?cvosrc=3rdParty.NationalPositions.NTP-AMP-NP | New DDoS toolkits that make it simple from malicious actors to generate high-bandwidth, high-volume DDoS attacks against online targets using the NTP amplification attack method. Find out what you can do to protect your network and website from this DDoS attack vector in this short slide presentation from Prolexic.

1. www.prolexic.com
NTP-AMP: DDoS Amplification Tactics
Highlights from a Prolexic DDoS Threat Advisory

2. www.prolexic.com
What is DDoS amplification?
• Amplification makes a DDoS attack stronger
• An attacker sends a small message to a third-party
server, pretending to be the target
• The server responds with a much larger message
to the target
• Repeated requests result in a denial of service
attack
– The flood of unwanted traffic keeps the target site too
busy, causing it to crash or respond too slowly to users

3. www.prolexic.com
Why NTP amplification?
• Network Time Protocol (NTP) is a common
Internet protocol
• Servers use NTP to synchronize computer clocks
• Some versions of NTP are vulnerable to use in
DDoS amplification attacks
• Attackers create lists of vulnerable servers
• A DDoS attack tool called NTP-AMP uses NTP and
amplification lists to create massive denial of
service attacks

4. www.prolexic.com
NTP attacks: an emerging DDoS trend

5. www.prolexic.com
Many industries have been targeted
• Finance
• Gaming
• e-Commerce
• Internet
• Media
• Education
• Software-as-a-service (SaaS)
• Security

6. www.prolexic.com
How NTP-AMP works
• monlist: IP addresses and statistics for the last 600
clients that have asked an NTP server for the time
• The NTP-AMP tool asks an NTP server for its monlist,
while pretending to be the target.
• The NTP server sends its monlist to the target.
• The monlist is big!
– In a worse-case situation, a single 60-byte request
packet could generate a 22,000-byte response
• The attacker may use many NTP servers, but with this
much amplification, fewer are needed

7. www.prolexic.com
Don’t be a part of an attack: Configure your
NTP servers properly
• Got an NTP
server?
• Run a monlist
query.
• If you get a
response like
this one, it is
imperative that
you change the
server
configuration to
disable this type
of response.

8. www.prolexic.com
If you are a target of an NTP attack
• NTP-AMP is in active use in DDoS attack campaigns
• Prolexic stops NTP-AMP attacks
• The NTP-AMP Threat Advisory by the Prolexic
Security Engineering and Response Team (PLXsert)
explains how to mitigate NTP-AMP DDoS attacks
– Target mitigation using ACL entries
– NTP-AMP IDS Snort Rule against victim NTP server

9. www.prolexic.com
Threat Advisory: NTP-AMP DDoS toolkit
• Download the threat advisory, NTP-AMP:
Amplification Tactics and Analysis
• This DDoS threat advisory includes:
– Indicators of the use of the NTP-AMP toolkit
– Analysis of the source code
– Use of monlist as the payload
– The SNORT rule and target mitigation using ACL entries
for attack targets
– Mitigation instructions for vulnerable NTP servers
– Statistics and payloads from two observed NTP
amplification DDoS attack campaigns

10. www.prolexic.com
About Prolexic (now part of Akamai)
• Prolexic Technologies is the world’s largest and
most trusted provider of DDoS protection and
mitigation services
• Prolexic has successfully stopped DDoS attacks for
more than a decade
• Our global DDoS mitigation network and 24/7
security operations center (SOC) can stop even the
largest attacks that exceed the capabilities of other
DDoS mitigation service providers