NTP reflection attacks hit record high
Networking & Communications

NTP reflection attacks hit record high

Distributed denial of service attacks that take advantage of misconfigured NTP servers were up 276 percent last quarter compared to the same time last year, reaching a new record high, according to a new report.

Part of the reason for the increase is economics, said report editor Martin McKeay, security advocate at Akamai Technologies.

In an NTP reflection campaign, the attacker sends a short message to an NTP server, and the NTP server replies with a significantly longer message. But instead of going back to the attacker, the response is addressed to the victim of the attack.

This allows the attacker to significantly magnify the amount of traffic hitting the victim all at once.

NTP attacks accounted for more than 15 percent of all attacks in the second quarter of this year. In two-thirds of those attacks, the NTP vector was the only one used.

DDoS attacks are increasingly being provided as a service, and NTP attacks are a better fit.

"It's cheaper for bad guys to use a single-vector NTP attach than using all their guns," McKeay said. "And the people paying for it don't necessarily understand all the bells and whistles that they're buying, so they're perfectly happy getting one type of attack."

In fact, 51 percent of DDoS attacks were single-vector attacks last quarter, compared to 41 percent in the first quarter of the year.

"Previously, there would be all sorts of protocols being mixed together," McKeay said.

ntp chart

Meanwhile, any one NTP server is used only for a small number of messages.

"You don't realize you're being used," he said. "NTP is far down the list for most administrators."

Hunting down individual misconfigured NTP servers is also not particularly practical for network carriers, he added.

"It costs money to differentiate between malicious and non-malicious traffic, he said. "For most carriers it's easier to just let things go than to harass someone to fix that problem."

One result of the shift to single-vector attacks is that the the median size of attacks has gone down by 36 percent from the previous quarter.

"We've never seen that before," said McKeay. "We almost always have ups. At first, we thought that some of our own instrumentation might be a problem."

The total number of attacks has continued to rise, however, with a 129 percent increase in total DDoS attacks compared to the same time period last year.

The gaming industry continued to be the most targeted, accounting for 57 percent of all DDoS attacks handled by Akamai last quarter. Software and technology companies were next with 26 percent of attacks, followed by financial services at 5 percent and media and entertainment at 4 percent.

Some gaming organizations see more than 300 attacks per quarter, according to Akamai, where even small attacks can negatively affect game server performance and give some players and advantage over others.

IDG Insider


«Project management: To debrief or not to debrief


European Union plans to offer free Wi-Fi to all»
IDG Connect

IDG Connect tackles the tech stories that matter to you

Recommended for You


How a Washington crackdown on Huawei could backfire for everyone

Phil Muncaster reports on China and beyond


5G is over-hyped and expectations need reining in

Dan Swinhoe casts a critical eye on the future


What can we learn from tech initiatives in the Middle East?

Keri Allan looks at the latest trends and technologies

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?