An NTP reflection-amplification attack is a
Note: To read more about DDoS attack, click here.
NTP is the standard, one of the oldest, network protocols used for clock synchronization by the devices connected to the Internet. It is also an important aspect of Internet architecture.
Older versions of NTP allow the administration to generate a query for the traffic count on the server. The monlist
command is used for this purpose, which sends back a list of 600 recent hosts that were connected to the NTP server.
Here is how the NTP reflection-amplification attack works:
monlist
command.Spoofing the victim's IP address depicts the reflection part of the attack. On the other hand, generating a massive response from a small request represents the amplification part of the attack.
Note: NTP attacks can have an
between 20:1 to 200:1 or more, depicting that a 1 Gbps request can generate up to 200 Gbps or more traffic. amplification ratio It is the ratio between the request and the response size.
Mitigating reflection DDoS attacks is difficult because UDP packets do not require a handshake protocol, hence NTP server responds to each request received without verifying it.
However, some of the following measures can be taken:
monlist
command by updating your NTP server to a version of 4.2.7 or more.Note: To read more about reflection and amplification attacks, click here.
Free Resources