What is it?
Network Time Protocol (NTP) is used to synchronize your computer clock with other computers on the Internet. By far the most common use of NTP is for one computer to ask “what time is it?” of another computer. But NTP has many other, less used, capabilities. “Mode 6” commands allow NTP to be reconfigured while it is running.
NTP requests can be used to mount a Denial of Service attack, when an attacker tries to overwhelm a victim’s server by flooding it with requests. In a Distributed Denial of Service (DDoS) attack, the attacker uses an army of unwitting third party servers to all attack the victim at the same time.
Why is it a risk?
Because NTP is used so frequently, it uses the very efficient User Datagram Protocol (UDP) for communications. One of the ways that UDP is so efficient is that it does not perform any sort of “hand-shake” when it receives a request.
Certain “Mode 6” commands are of the form “Generate a report and send it to xxxxx.” A DDoS attack can be mounted against a victim by sending requests to MANY NTP servers, forming a “bot-net,” replacing xxxxx with the victim’s network address. The resulting flood of reports can overload the victim’s computer. A DDoS is especially effective if the size of the report generated is bigger than the size of the command that produces the report.
How can you mitigate the risk?
Mitigating this risk is difficult because the victim is not really part of the problem.
The best way mitigation (and this applies to all DDoS attack risks) is to make sure that your computers cannot be tricked into becoming part of a “bot-net.”
You can:
- Stop providing NTP services to the Internet by blocking NTP traffic with your firewall. Use a public Time Server instead.
- Upgrade to the latest NTP server version and secure it; ntp.org has resources to help you.
- Use a VPN to control the users and computers that can access your server.
- Use an Internal NTP Server – this can be costly.
Resources:
NTP DDoS Attacks
https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/
Official NTP maintainers
http://www.ntp.org/