The NTP Amplification tool (NTP-AMP) exploits the Network Time Protocol (NTP) to launch massive attacks using a small number of compromised servers. This threat advisory about NTP amplification distributed denial of service (DDoS ) attacks includes an analysis of how it generates a monlist payload, along with DDoS protection and mitigation techniques and a review of two DDoS attack campaigns using the NTP amplification tool.
The NTP Amplification threat advisory includes details and mitigation for enterprises, such as:
Amplification is not a new DDoS attack method, nor is the misuse of the Network Time Protocol a new means of launching an amplification attack. Recently, however, NTP amplification attacks have become one of the most popular DDoS attack types for malicious actors as they seek to overwhelm the network resources of their targets.
Comparing DDoS attacks in February 2014 with those in January 2014, DDoS mitigation experts observed the following:
This DDoS Threat Advisory presents a PLXsert analysis of a recently leaked NTP reflection tool written in the Perl scripting language and referred to as NTP-AMP.
In addition to the information provided here, in 2013 PLXSert released a series of distributed reflection and amplification (DrDoS) attack white papers outlining reflection/amplification attack types, including NTP attacks.