NTP amplification DDoS attacks on the up

Andrew McCarron March 13, 2014 Latest News, North America, Technology Comments Off on NTP amplification DDoS attacks on the up

Prolexic Technologies, an expert in Distributed Denial of Service (DDoS) protection services, has issued a high alert threat advisory on NTP amplification DDoS attacks. This attack method has surged in popularity this year, fuelled by the availability of new DDoS toolkits that make it simple to generate high-bandwidth, high-volume DDoS attacks against online targets. A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible NTP servers to overwhelm a victim system with traffic.

“During the month of February, we saw the use of NTP amplification attacks surge 371 percent against our client base,” said Stuart Scholly, SVP/GM Security, Akamai Technologies, Prolexic’s parent company. “In fact, the largest attacks we’ve seen on our network this year have all been NTP amplification attacks.”

While NTP amplification attacks have been a threat for many years, a number of new DDoS attack toolkits have made it easier for malicious actors to launch attacks with just a handful of servers. With the current batch of NTP amplification attack toolkits, malicious actors could launch 100 Gbps attacks – or larger – by leveraging just a few vulnerable NTP servers.

Between January and February this year:

●The number of NTP amplification attacks increased 371.43 percent

●Average peak DDoS attack bandwidth increased 217.97 percent

●The average peak DDoS attack volume increased 807.48 percent

Unlike the largest attacks of the past two years, the NTP amplification attacks were not focused on any particular sector. Industries targeted by NTP amplification attacks in February included finance, gaming, e-Commerce, internet and telecom, media, education, software-as-a-service (SaaS) providers and security.

In the Prolexic Security Engineering & Response Team (PLXsert) lab environment, simulated NTP amplification attacks produced amplified responses of 300x or more for attack bandwidth and 50x for attack volume, making this an extremely dangerous attack method.

A complimentary copy of the threat advisory is available at www.prolexic.com/ntp-amplification.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
_csrf	session	This cookie is essential for the security of the website and visitor. It ensures visitor browsing security by preventing cross-site request forgery.
ARRAffinity	session	ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user.
ARRAffinitySameSite	session	This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
AWSELB	session	Associated with Amazon Web Services and created by Elastic Load Balancing, AWSELB cookie is used to manage sticky sessions across production servers.
cf_ob_info	past	The cf_ob_info cookie is set by Cloudflare to provide information on HTTP Status Code returned by the origin web server, the Ray ID of the original failed request and the data center serving the traffic.
cf_use_ob	past	Cloudflare sets this cookie to improve page load times and to disallow any security restrictions based on the visitor's IP address.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
csrftoken	1 year	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
TS018bddb2	session	Wix sets this cookie for security and anti-fraud purposes.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
bwid	1 year	This cookie is set by the provider The Guardian. This cookie is used for embedding The Guardian video player.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
mgref	1 year	This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
mgrefby	1 year	This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
PBSECURESUSID	session	This cookie is set by the provider Podbean. This is a session cookie used to verify that the users are on secure sessions. It helps iin implementing audio files on the website.
S	1 hour	Used by Yahoo to provide ads, content or analytics.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
vsid	30 minutes	This cookie supports the website's live support provider.

Cookie	Duration	Description
_gat	1 minute	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
AWSELBCORS	5 minutes	This cookie is used by Elastic Load Balancing from Amazon Web Services to effectively balance load on the servers.
G	1 year	Cookie used to facilitate the translation into the preferred language of the visitor.
SERVERID	session	This cookie is set by Slideshare's HAProxy load balancer to assign the visitor to a specific server.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_cb	never	This cookie stores a visitor's unique identifier for Chartbeat tracking on the site.
_cb_svref	never	Chartbeat sets this cookie to store the original referrer for the site visitor. This cookie expires after 30 minutes but the timer is reset if the visitor visits a new page on the site before the cookie expires.
_chartbeat2	never	Chartbeat sets this cookie to store information about when a visitor has visited the site before. This helps to distinguish between new, returning, and loyal visitors.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-15039508-8	past	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	past	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_s	1 year	This cookie is associated with Shopify's analytics suite.
ajs_anonymous_id	never	This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before.
ajs_group_id	never	This cookie is set by Segment to track visitor usage and events within the website.
ajs_user_id	never	This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
BBC-UID	1 year	This cookie is used to store a unique identifier to determine the number of unique users for various parts of bbc.co.uk.
BrowserId	1 year	This cookie is used for registering a unique ID that identifies the type of browser. It helps in identifying the visitor device on their revisit.
UID	2 years	Scorecard Research sets this cookie for browser behaviour research.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.

Cookie	Duration	Description
__Host-GAPS	2 years	This cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_kuid_	5 months 27 days	The cookie, set by Krux Digital, registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

SBC News Voice of the Sports Betting Industry

NTP amplification DDoS attacks on the up

Related Articles

Check Also

Live streaming of online games: How security concerns impact business decisions

BetVictor: Innovating and staying ahead in player protection

BetVictor ups player security installing two-factor authentication

Cookie	Duration	Description
__Secure-ENID	1 year 1 month	No description
_hjSession_1089452	30 minutes	No description
_hjSessionUser_1089452	1 year	No description
_pinterest_ct_ua	1 year	No description available.
_v__chartbeat3	never	No description available.
AN	1 month	No description available.
AnalyticsSyncHistory	1 month	No description
AS	session	No description available.
AWSALBTG	7 days	No description available.
AWSALBTGCORS	7 days	No description available.
b	10 years	No description
blaize_session	4 months 18 days	No description available.
blaize_tracking_id	999 years 4 months	No description available.
BNI_cookie	session	No description
botd-request-id	session	No description
BrowserId_sec	1 year	No description available.
bsid	never	No description available.
bwid_withoutSameSiteForIncompatibleClients	1 year	No description
COMPASS	1 hour	No description
CookieConsentPolicy	1 year	No description
count	10 years	No description available.
d-l	past	No description
debug	never	No description available.
ebEventToTrack	1 month	No description available.
eblang	1 year	No description available.
et_current_iid	10 years	No description
et_user_id	10 years	No description
f77	1 month	No description
free-day-pass-enabled	session	No description
geoip_country	session	No description available.
GoogleAdServingTest	session	No description
incap_ses_455_2124377	session	No description
incap_ses_456_2124377	session	No description
isChecked	4 hours	No description
li_gc	2 years	No description
li_sugr	3 months	No description available.
loglevel	never	No description available.
LSKey-c$CookieConsentPolicy	1 year	No description
modern-context-data	1 month	No description
NSC_hfofsbmIptut-8001	2 minutes	No description available.