Recently, hackers exploited key vulnerabilities in the Network Time Protocol (NTP) to attack servers based in Europe. NTP, used to synchronize computer clocks, is one of several protocols used within the infrastructure of the internet to keep things running smoothly. First implemented in 1985, NTP is one of the oldest IP protocols still in use both in Unix/Linux and Windows environments. In Unix/linux environments, it runs as the ntpd daemon and under Windows, it runs as a service that is able to synchronise a computer’s clock to the NTP server (Windows Time service/W32Time).
The massive NTP server attack was described by online security specialists Cloudflare as the biggest attack of its kind. Measured at around 400 gigabits per second , the exploit flooded target servers with huge amounts of data through a Distributed Denial of Service (DoS) attack. In a DoS attack, massive amounts of data are directed at a target which is overwhelmed and forced offline, preventing it from carrying out its intended function.
There are thousands of NTP server worldwide. Security experts had predicted that NTP had the potential to be exploited for malicious purposes because the protocol has two main weaknesses:
- Computers that request time synchronization from the NTP server will send a small packet of data when making a request. The NTP server will respond, but the problem is related to the amount of data that the NTP server sends back. The packet returned is much larger than the one received, which means that an attack exploiting this data exchange will be significantly amplified.
- The return address (location) of the computer making the synchronization request can be spoofed, meaning that the NTP server can be tricked into returning the information to a different computer than the one that made the synchronisation request. In attacks such as these, many computers were probably used to make NTP requests, but the location of these machines were spoofed by hackers so that the enormous volume of data originating from the NTP servers is diverted to a single target. This is called an amplification attack because an attacker can take a small amount of bandwidth originating from a small number of machines throughout the internet and turn it into an enormous traffic load directed against the victim. Since the attack comes from numerous locations across the internet, it is virtually impossible to prevent.
DoS attacks cannot be prevented but they can be mitigated by technologies that are effective in monitoring network to detect when a large amount of data is coming to a single destination. The simplest solution is usually to shut down the connection.
Many important older protocols were designed at a time where malicious activity was not yet commonplace and was not a major concern, at least not in the same way that it is today. These protocols remain essential but are not particularly secure because they did not need to be when they were designed and originally implemented. Upgrading publically-accessible NTP server to the latest version of the vulnerable code will prevent an attack of this type because the underlying feature that is exploited by the attack is disabled by default in the latest version. In cases where it is not possible to upgrade from earlier version, it is possible to disable the vulnerable feature.
Although this attack targeted NTP servers, the reality is that cyber threats are a sign of the times and it is impossible to prevent them from happening. An important question is, what can we learn from this? Do we need to rethink how we implement network security? With threats becoming more frequent, ranging in scope from nuisance to highly sophisticated, do you implement ‘best practices’ to secure your organization’s network? How effective do you think current practices are and what do you think can be done to mitigate the damage after an attack occurs?