Mitigating 80 Gbps Attacks – NTP Amplification Attacks on the Rise
The recent wave of attacks on EA, Riot Games, Blizzard, Valve, and many others in the past few weeks have utilized a very uncommon attack technology. These attacks are similar in nature to DNS amplification attacks, which we wrote about back in September. Those attacks leveraged misconfigured DNS servers to launch very large attacks. We’re now faced with a similar situation.
In the News
It seems that the first high profile attack was against League of Legends which ended with a police raid on a gamer. A twitter feed for this can found at https://twitter.com/DerpTrolling. This group initially targeted http://www.twitch.tv/phantoml0rd and all the games he attempted to stream. Servers that were hit included League of Legends, Defense of the Ancients, and Battle.net. DerpTrolling was able to successfully impact tens of millions of gamers. The group then decided to convince police that he had hostages at his house. This lead to a false arrest of Varga.
There’s a continuing Reddit stream about this matter. The content is unedited and simply provided for information.
Network Time Protocol is used to synchronize computers across the world against centralized servers to within a fraction of a second of coordinated universal time (UTC). NTP operates over the public Internet and can achieve fairly high reliability through its algorithm. The protocol is traditionally used as client-server. NTP is susceptible to main-in-the-middle attacks unless cryptographic security is employed. NTP operates on port 123 TCP and UDP.
# grep -w ntp /etc/services
ntp 123/udp # Network Time Protocol
NTP amplification attacks work similar to UDP amplification attacks. The attacker sends a small packet with spoofed source information via UDP to the NTP server. This packet contains a command like ‘monlist’ which requests a a large amount of data from the NTP server. The NTP server sends this data to the spoofed source in the original small packet. In effect, a few bytes of data can generate megabytes worth of traffic.
Fixing the Problem
The easiest way to fix the problem is to update your NTP to version 4.2.7. This removes the ‘monlist’ command. Otherwise, you can disable querying via a configuration change:
# grep -ai query /etc/ntp.conf
# Prohibit general access to this service.
restrict default ignore
restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery
This will prevent your NTP server from being leveraged to launch DDoS attacks against other networks.
You can also enable NTP Autokey. Information can be found here. This is supported in version 4.2.6 or later.
Staminus currently mitigates this attack without a problem. Our customer in the above graph received these attacks quite frequently and stayed up without impact. On average, we see these attacks exceed 40 Gbps. Often times, we see them mixed together with a SYN/ACK flood to generate a fairly complex flood containing both volumetric and CPU-impacting attack.
 - http://www.reddit.com/r/gaming/comments/1uacp8/derptrolling_is_currently_ddos_on_steam_and_ea/