There has been an unprecedented spike in volumetric attacks driven by the proliferation of network time protocol (NTP) reflection and amplification attacks, according to distributed denial-of-service (DDoS) data released by Arbor Networks.
NTP is a user datagram protocol (UDP) based protocol used to synchronize clocks over a computer network. Source IP addresses can be spoofed by attackers who have control of compromised or ‘botted’ hosts residing on networks which have not implemented basic anti-spoofing measures. NTP is popular due to its high amplification ratio of about 1000x. Arbor said attack tools are becoming readily available, making such attacks easy to execute.
The data was derived from the DDoS protection provider’s ATLAS threat monitoring infrastructure. ATLAS is a collaborative partnership with nearly 300 service provider customers who share anonymous traffic data with Arbor to deliver a view of global traffic and threats.
The average NTP global traffic in November 2013 was 1.29 gigabytes per second (GB/sec), by February 2014 it was up to 351.64 GB/sec. NTP was used in 14 per cent of DDoS events overall but 56 per cent of events over 10 GB/sec and 84.7 per cent of events over 100 GB/sec.
Overall the most common targets were the United States, France and Australia. The US and France were the most common targets for large attacks.
Arbor Networks director of solutions architects, Darren Anstee, said the spike in size and frequency of the attacks is unprecedented based on the 14 years worth of data the company has collected.
“These attacks have become so large, they pose a very serious threat to Internet infrastructure, from the ISP to the enterprise.”