NTP and DDOS attacks – Preparing for the worst

(Ping! Zine Web Tech Magazine) – Distributed Denial of Service (DDoS) was once just an annoyance, but as the world becomes more reliant on online facilities there is both a repetitional and financial impact from a DDoS attack. These attacks can come from hackers, competitors, disgruntled staff or clients, and their goal is to overwhelm a service to the point where it no longer works.

There is ever increasing pressure from customers for hosting companies to offer resilient networks with DDoS protection. They have to supply geographically diverse connectivity and an option of having multiple connections to the hosted solution.

A new threat

Recently, the rise of UDP (User Datagram Protocol) and NTP (Network Time Protocol) based DDoS attacks have seen even high capacity networks swamped, bringing part, or all, of the network offline.

NTP is used by machines connected to the internet to set their clocks correctly, and they will often synchronise throughout the day. Unfortunately NTP is prone to amplification as it will reply to a packet with a spoof IP address, and will also send large replies to short requests.

NTP contains a command called ‘monlist’ which can be sent to an unsecured NTP, and returns the IP addresses of the last machines that the NTP sever has interacted with, up to 600 of them. This response is huge compared to the request sent and makes it an ideal target for an amplification attack. The size of responses would use high levels of resources and it is not uncommon for even networks with huge capacity to have all their bandwidth consumed in this form of attack.

The more worrying aspect of NTP amplification is that these servers are relatively easy to find and approximately 7 million are insecure and open for attack. (http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/)

So what can you do to protect your network? 

Prepare and protect: If you are using an NTP server within your network, protect your network (and others) by deploying secure settings – don’t just accept the defaults.

Scan regularly: Check that your host scans regularly to identify insecurely configured services that can be abused by attackers. Make sure that the provider has a policy in place to ensure that these insecure services are repaired and patched to regain secure status.

Prepare in advance:Early detection can be crucial in saving yourself money and reputation. Make use of automated monitoring tools with email or SMS notifications for unusual bandwidth usage. This way, you’ll get a warning hopefully early enough to shut the affected servers down before the damage spreads too far.

Larger DDoS attack may block the remote access monitoring and access to the server. Make sure that your hosting company has staff on-site 24/7 to manage the server and help if there is an attack.

Identify the attack:Early detection is essential, but it is only one piece of the puzzle; identifying the type of attack can be just as important.

You, or your host, needs to make use of packet analysis or flow tools to be able to inspect the traffic. This will let you see what type of traffic is being passed, where it is coming from and where it is going to.

Block it:Once you know what type of attack you are dealing with, you might be able stop it by setting up an access list within your firewall or router to drop the traffic or at the very least rate-limit a specific protocol (such as NTP) down to a manageable level if you can’t identify all the sources of the attack.

However, it is possible that a high-bandwidth attack may exhaust your WAN link, which will result in your service still being unreachable. Sometimes you may need help from your connectivity provider/ISP, who will do the blocking for you.

Ask your web host if it offers ’clean pipe’ hosting with automatic DDoS suppression which can be used to actively monitor your traffic for signs of a DDoS attack and then actively work to block any attack before it reaches your servers.


As cybercrime gets more sophisticated, businesses must be able to adapt to these new security threats. There are no methods or tools that can completely prevent DDoS attacks from happening, but preparing and having measures in place to help your company overcome them is a great step in ensuring you are prepared.

About the author

David Barker is the technical director of 4D Hosting, having founded the company in 1999 when he was 14. In 2007 he bought an industrial unit on the outskirts of London and set up 4D Data Centres as a colocation and connectivity supplier for small businesses in the South East of England.

In 2013, 4D Hosting re-launched with a focus on providing premium hosting packages and 24/7 support from its own engineers to technology companies, developers and geeks.

Tweet him on @David_4D.