In this first month of 2014 there has been a new threat in the world of DrDoS.

Reflected NTP attacks appear to be increasing in popularity over DNS reflection (2013’s favorite reflected attack method), but will NTP amplification rise above DNS amplification in popularity?

Earlier this month we seen attacks launched against the websites of EA Games, League of Legends, the PS Network, and other online game services. These attacks were later determined to be caused by abuse of the network time protocol daemon. @DerpTrolling took credit for the attacks via Twitter, and it appears to be the first time the IT world has actually witnessed an NTP amplified attack.

NTP amplification attacks are typically 58x more potent than DNS amplification attacks, and much less damaging to the outgoing bandwidth created on the originating machine.

With this kind of potency we will surely see a rise in this method in the upcoming year.

While studying these NTP amplification attacks, there has been one thing I have noticed. Various IRC networks which have been targeted with NTP amplification attacks are showing the same NTP servers in PCAP log files, as well as attacks which I have studied against DNSbl servers & Tor exit nodes.

The cause of this could only mean one of three options (ordered from most to least likely):

1. The attacks are originating from the same person/group or people.
2. The list of vulnerable NTP servers has been shared around between attackers.
3. Attackers just happened to scan the same list of vulnerable NTP servers to amplify with.

I only accept the 3rd as an option because of the bulk of NTP server lists available on the internet.