An NTP amplification attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker exploits a Network Time Protocol (NTP) server functionality to overwhelm a targeted network or server with an amplified amount of UDP traffic, rendering the target and its surrounding infrastructure inaccessible to regular traffic.
An NTP amplification attack can be broken down into four steps:
- The attacker uses a botnet to send UDP packets with spoofed IP addresses to an NTP server with its monlist command enabled. The spoofed IP address on each packet points to the victim’s real IP address.
- Each UDP packet makes a request to the NTP server using its monlist command, resulting in a large response.
- The server then responds to the spoofed address with the resulting data.
- The IP address of the target receives the response, and the surrounding network infrastructure becomes overwhelmed by the deluge of traffic, resulting in a denial of service.
As the attack traffic looks like legitimate traffic coming from valid servers, mitigating this sort of attack traffic without blocking real NTP servers from legitimate activity is difficult. Because UDP packets do not require a handshake, the NTP server will send large responses to the targeted server without verifying that the request is authentic. These facts, coupled with a built-in command that sends a large response by default, make NTP servers an excellent reflection source for DDoS amplification attacks.
Other UDP-based reflection attacks principle similarly, and protection can also be based on UDP ports, such as the following commonly abused reflection ports :
Type | Port |
Jenkins | 33848 |
SNMP | 161 |
WSDD | 3702 |
SSDP | 1900 |
COAP | 5683 |
DNS | 53 |
MySQL | 1434 |
Memcache | 11211 |
NTP | 123 |
CharGen | 19 |
ARMS | 3293 |
CLDAP | 389 |
NSFOCUS ADS can prevent NTP reflection attacks with three protection actions in Policy -> Access Control -> Reflection Protection Rules:
- Drop: ADS will drop all NTP traffic.
- Drop and add to blacklist: ADS will drop all NTP traffic and add the source to the blacklist.
- Limit rate: ADS will set the threshold for NTP traffic.
You can enable this policy for protection groups.