Sunday, February 16, 2014

NTP and DDoS Attacks



A novel new method of creating a DDoS attack has been found: NTP. I've read a number of good technical explanations on how the attack was performed and the enormity of the data the attack sent (400 some GB), so I'd like to take a step back and talk about DDoS attacks in general.

What is a DDoS attack and how does it work?

DDoS stands for distributed denial of service. It's a fancy way of saying an attacker uses multiple computers to keep legitimate users from doing what they want to on the internet. Here's another way to explain it:

Let's say you hate your local department store and you want to keep them from helping their customers. With this nefarious intention you go to the store, stand at a register, and refuse to move through.

You're not going to be very effective, will you? But what if you sent everyone in town a message that if they go to the store and ask for a free coat at 4 in the afternoon this Friday, the store will give them one. You can picture what will happen, the store will be filled with people wanting free coats. Customers buying real merchandise will have trouble getting to the checkouts, and the store won't be able to sell anything.

(On a side note, if it helps the Civil Rights Sit Ins were essentially a DDoS attack)

That's all there is to it. You send so much traffic to a website or a service that they can't respond to legitimate traffic. Where it gets interesting is how you send that traffic. Just like there's no point to standing at a register by yourself, you would never be able to generate enough traffic by yourself to shut down a website. To perform a DDoS attack you need to get other people to join in.

NTP DDoS Attack

NTP is a protocol for making sure that different computers have the same internal time. They're fairly common on medium larger networks (universities, businesses, etc). They can operate for years without anyone thinking about them. Except for, apparently, some individuals looking for a way to create a DDoS attack. I'll leave out the gory details, but attackers found a way to use these NTP servers to generate a previously unheard amount of traffic at a target.

How scary is it?

What's interesting about this attack is that (as so often happens) it isn't difficult to prevent. It doesn't take any great, brilliant minds to figure out how to prevent this kind of thing happen in the future. Attackers just found something most people don't consider threatening enough to secure and took advantage of it. How many other "set it and forget it" technologies do we have on the internet that could be used in some clever, malicious way?

On a more positive note in some ways this may be a good sign. For quite some time now DNS has been the standard DDoS weapon, and because of this the internet community has been encouraging companies to take steps to prevent their DNS servers from being used for these attacks. If attackers looking to wield a DDoS attack are moving on to other means, DNS may be slowly becoming less appealing. Our defense methods are working, they just take time.