[c-nsp] NTP DDoS

Dobbins, Roland rdobbins at arbor.net
Wed Feb 12 11:19:25 EST 2014

On Feb 12, 2014, at 11:07 PM, Richard Clayton <sledge121 at gmail.com> wrote:

> What is this type of DDoS called?

An ntp reflection/amplification DDoS attack.

> Is the the customer being individually targeted or just the expolitable NTP server?

It sounds as if these are ntpds which are misconfigured and allow level-6/-7 commands such as monlist to be issued, which produces a significant amplification.  The attackers are spoofing the source IPs of their targets, and the ntpds 'reply' with unsolicited large, fragmented UDP ntp 'responses'.

Check Jared's compendium for abusable ntpds on your netblocks and those of your customers:


> Are these caused by bots or manually by individuals?

Bots being driven by individuals (when we get to the point where the bots make their own targeting decisions for DDoS attacks, things will be interesting, indeed, heh).

Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the cisco-nsp mailing list