Gartner Blog Network

On NTP Reflection DDoS: 1990s Strike Back?

by Anton Chuvakin  |  February 14, 2014  |  2 Comments

Is punch card theft from the mail the only security problem we have solved over the last 50 years? I was really hoping IP spoofing has joined the incredibly short list of security problems we have solved for good. After all, this issue goes back to the good old times of Steve Bellovin and his “Security Problems in the TCP/IP Protocol Suite”, the day and age when some of today’s industry experts were in kindergarten…

Boy, was I sorely mistaken. Sure, I admire the ability of attackers to find all the opportunities for amplification DDoS. DNS – check, NTP – check, SNMP – pending… However, I definitely can not hold the the same admiration for the “defenders” (if they can be called that) who still allow spoofed packets to leave their networks.

This anti-DDoS vendor explains it best: “the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long reply to a short request.”

See what I mean? No spoofing – no reflection DDoS! Easy, huh?

People, this is not APT-fighting and … ahem … cyberwar. This is router configuration 101 circa 1999. So, check those routers already (and check your NTP servers while you are at it). Make sure that the anti-spoofing rules are in place, that they were not removed, disabled, gone missing, etc.

Now, in the past some of the many, many, many pitches to get organizations to implement anti-spoofing and egress filtering were powered by the plea to “protect the community.” Frankly, many organizations don’t give rat’s ass about the community. So OK. Forget the community for a moment. Think this: if you don’t implement anti-spoofing, you will end up on SO MANY blacklists and threat intelligence feeds that your organization’s Internet access would be next to useless since browsers, email servers, web sites, etc will BAN YOU!

So do it to protect YOUR OWN CONNECTIVITY!

There you have it! Thanks to my colleague Craig Lawson for motivating me to write this. Craig, get your own blog already :-)

Category: collective  denial-of-service  philosophy  security  

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on On NTP Reflection DDoS: 1990s Strike Back?

  1. […] This was cross-posted from the Gartner blog.  […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.