NTP reflection attacks hit record high

Distributed denial of service attacks that take advantage of misconfigured NTP servers were up 276 percent last quarter compared to the same time last year, reaching a new record high, according to a new report.

Part of the reason for the increase is economics, said report editor Martin McKeay, security advocate at Akamai Technologies.

In an NTP reflection campaign, the attacker sends a short message to an NTP server, and the NTP server replies with a significantly longer message. But instead of going back to the attacker, the response is addressed to the victim of the attack.

This allows the attacker to significantly magnify the amount of traffic hitting the victim all at once.

NTP attacks accounted for more than 15 percent of all attacks in the second quarter of this year. In two-thirds of those attacks, the NTP vector was the only one used.

DDoS attacks are increasingly being provided as a service, and NTP attacks are a better fit.

“It’s cheaper for bad guys to use a single-vector NTP attach than using all their guns,” McKeay said. “And the people paying for it don’t necessarily understand all the bells and whistles that they’re buying, so they’re perfectly happy getting one type of attack.”

In fact, 51 percent of DDoS attacks were single-vector attacks last quarter, compared to 41 percent in the first quarter of the year.

“Previously, there would be all sorts of protocols being mixed together,” McKeay said.

Meanwhile, any one NTP server is used only for a small number of messages.

“You don’t realize you’re being used,” he said. “NTP is far down the list for most administrators.”

Hunting down individual misconfigured NTP servers is also not particularly practical for network carriers, he added.

“It costs money to differentiate between malicious and non-malicious traffic, he said. “For most carriers it’s easier to just let things go than to harass someone to fix that problem.”

One result of the shift to single-vector attacks is that the the median size of attacks has gone down by 36 percent from the previous quarter.

“We’ve never seen that before,” said McKeay. “We almost always have ups. At first, we thought that some of our own instrumentation might be a problem.”

The total number of attacks has continued to rise, however, with a 129 percent increase in total DDoS attacks compared to the same time period last year.

The gaming industry continued to be the most targeted, accounting for 57 percent of all DDoS attacks handled by Akamai last quarter. Software and technology companies were next with 26 percent of attacks, followed by financial services at 5 percent and media and entertainment at 4 percent.

Some gaming organizations see more than 300 attacks per quarter, according to Akamai, where even small attacks can negatively affect game server performance and give some players and advantage over others.