Timing Network DDoS Attacks Growing
Page 1 of 1
The United States Computer Emergency Readiness Team (US-CERT) is warning of an increased risk from DDoS attacks that leverage the Network Time Protocol (NTP) to amplify the attack volume.
NTP is a widely deployed Internet protocol that is primarily used as a time-keeping technique for clock synchronization. Simply requesting the time from an NTP server is not, however, what attackers are using to execute DDoS attacks.
Instead, attackers are abusing a feature in NTP that enables administrators to query an NTP server about connected clients and their traffic counts. The query is made via a "monlist" command.
"This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim," US-CERT warns. "Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim."
US-CERT also warns that since NTP traffic is typically considered legitimate, it can be difficult for administrators to block the attack.