An NTP amplification attack is one in which the perpetrator seeks to overwhelm a targeted server and its surrounding infrastructure with UDP traffic by exploiting publicly accessible Network Time Protocol (NTP) servers. This type of DDoS attack is known as an amplification assault because the query-to-response ratio is anywhere between 1:20 and 1:200 or upwards. It is one of the most devastating high-bandwidth, high-volume types of DDoS attacks.
An attacker begins their attack by gaining access to a list of open NTP servers (e.g. by a using tool such as Metasploit or data from the Open NTP Project).
The Network Time Protocol serves a useful function in Internet architecture by helping Internet connected devices to synchronize their internal clocks. On some NTP servers, an attacker is able to exploit the monlist command in order to multiply their initial request traffic, leading to a large response. On older devices, this command is enabled by default, and responds with the last 600 source IP addresses of requests that the NTP server has received. The monlist request from such a server will be 206 times larger than the primary request. Therefore, an attacker with just 1GB of Internet traffic is able to carry out a 200+ gigabyte attack – a massive amplification attack.
An NTP amplification attack can be broken into four phases:
(i) The threat actor employs a botnet to send UDP packets with fake IP addresses to a NTP server that has enabled its monlist command. The fake IP addresses point to the real IP address of the target.
(ii) Each UDP packet issues a request to the NTP server exploiting its monlist command, leading to a large response.
(iii) The server responds to the fake address with the requested data.
(iv) The IP address of the target receives the response and its surrounding network infrastructure is deluged with traffic, leading to a denial-of-service.
NTP servers are an attractive reflection source for DDoS amplification attacks for several reasons: in part because the built-in command by default sends a large response and UDP packets don’t require a handshake, so the NTP server will respond in volume without initially verifying the authenticity of the request.
All amplification attacks work by exploiting the difference in bandwidth between an attacker and the target. By sending small queries that lead to large responses, the attacker can get more from less. When using a botnet to multiply the attack, the threat actor is both protected from detection and enjoys the benefits of massively increased attack traffic.