Akamai Diversity

The Akamai Blog

NTP Reflection Attacks

Yesterday we saw the news outlets light up with breathless reports of a massive distributed denial of service that was directed at the boutique company, Cloudflare. There was much ado about the volume of the attack peaking at 400 Gbps according to the numbers released by them. But, was this little more than hyperbole? This would not be without precedent.

The type of denial of service attack in question is one called an NTP reflection attack. NTP, or more succinctly Network Time Protocol, is a service that is used to keep systems synchronized. The protocol is UDP based and listens on port UDP/123.

The issue arises when an attacker sends a specially crafted query that ultimately redirect a large volume of traffic. The traffic is sent with a spoofed source address with the intention of having the NTP servers return responses to the spoofed address. Which, would be the intended target. 

Seems simple enough. 

But, why bother? It seems rather curious that a CDN would bother to accept spurious UDP traffic. Why not drop it at the perimeter? Why process it at all? Seems rather pointless to waste time allowing this sort of attack to affect your infrastructure in the first place. Rather akin to playing the catcher position for the javelin team. 

Akamai is able to help our customers by having a resilient infrastructure that is massively scalable. The Kona Security solution is excellent for mitigating DDoS attacks against your assets while improving your conversion rates for customers. Our network doesn't allow traffic that is destined for services other than HTTP (tcp/80), HTTPS (tcp/443) or DNS (tcp/udp 53) and drops it at the edge. Take the common sense approach and secure your business with Akamai.