As we have reported two weeks ago that the attackers are abusing the Network Time Protocol (NTP) servers to perform an amplified version of DDoS Attack on various targets across the world.
Earlier this week a number of popular Gaming services, including League of Legends, EA.com and Battle.net from Blizzard were taken down by similar DDoS attack.
'Network Time Protocol (NTP)' is a distributed network clock time synchronization protocol that is used to synchronize computer clock times in a network of computers and runs over port 123 UDP.
"The attacker sends a small spoofed 8-byte UDP packets are sent to the vulnerable NTP Server that requests a large amount of data (megabytes worth of traffic) be sent to the DDoS's target IP Address. "Security Researcher, Wang Wai detailed in a previous article on 'The Hacker News'.
"The attacker sends a small spoofed 8-byte UDP packets are sent to the vulnerable NTP Server that requests a large amount of data (megabytes worth of traffic) be sent to the DDoS's target IP Address. "Security Researcher, Wang Wai detailed in a previous article on 'The Hacker News'.
There are hundreds of open NTP servers available on the Internet that could be abused by an attacker to redirect 100 times bigger responses (packets) to the victims' server than the spoofed request.
As estimated, this technique floods the gaming servers with more than 100Gbps DDoS attack and the average size of these attacks was 7.3 gigabits per second, almost three times the average DDoS attack observed in December.
"If you manage a public NTP server, can fix the issue by updating it to NTP 4.2.7, for which the support of 'monlist' query has been removed in favor of new safe 'mrunlist' function which uses a nonce value ensuring that received IP address match the actual requester." Wang Wai recommended.
"If you manage a public NTP server, can fix the issue by updating it to NTP 4.2.7, for which the support of 'monlist' query has been removed in favor of new safe 'mrunlist' function which uses a nonce value ensuring that received IP address match the actual requester." Wang Wai recommended.
