67.06% of Reported NTP Servers Patched After Waves of DRDoS Attacks
Earlier this month I wrote about how I took offensive security measures in order to shutdown the emerging NTP reflection / DRDoS threat. Today I am happy to announce that of the 2,917 reported NTP servers which were observed as being used in NTP reflection attacks, 1,956 (67.06%) of them have been either shutdown or patched to disallow monlist.
According to CloudFlare, an NTP reflection attack using 400 NTP servers could create a 500Gbps attack. After doing the math, CloudFlare basically deducted that each NTP server could amplify up to 160Mbps. Going on that logic, the 2,917 NTP servers were reported in theory could have created an attack up to 455.7Gbps. This means that the measures taken have shut down about 305.6Gbps of attack power.
The remaining servers which were reported as still being open & vulnerable have been passed off to the Open NTP Project, which also aims at patching vulnerable NTP servers.
I am currently re-scanning the list of NTP servers which were reported to see if there have been any significant changes, and I will update if there are.
On the chart to the right I have broken offending servers down by country, and this shows countries which have had the most significant decrease in vulnerable NTP servers since reporting. The United States having the most vulnerable NTP servers in the first place, and having the most significant decrease in vulnerable NTP servers. Honestly, America nearly broke my chart! The full raw data for the chart is on my pastebin here.
UPDATE: As of 2014/02/22, 19:51:20 UTC-6, 87.08% of the NTP servers reported have been patched or shut down. Only 377 left to go!