Seven Million Unsecured NTP Servers Prime Targets for DDoS


Since its rollout in 1985, Network Time Protocol (a UDP protocol) has been attractive to hackers because it is easy to use and easy to spoof. It synchronizes the clocks of computer systems (client systems with server systems) over data networks. The international Internet gaming community, North Korea’s news agency KCNA and CloudFlare were hit by NTP. In particular, rival gaming gangs bragged about their Internet kills on Twitter and other social networks. Must have been the work of talented hackers, right? Not necessarily. DDoS for Hire is cheap and can be bought on peer to peer job sites that are like Fiverr and Rehan Jobs. The “get even” offers are posted for a few hours and then pulled as soon as a few customers bite and buy.

UDP networking protocols include these services: NTP (which we talk about here), chargen (which BlockDoS wrote about in 2013), DNS (Domain Name Server), SNMP, and RADIUS. They are embedded in all types of broadband CPE devices that consumers use. More than 7 million NTP servers are not effectively secured making it easy to spoof and use them to conduct distributed denials of service.

DDoS for Hire services, that take advantage of unsecured NTP servers, are cheap and available on peer to peer Internet job sites and forums, as mentioned already. Any disgruntled and angry ex-employee, ex-spouse, customer, competitor, or cyber bully can spend a few dollars and cause their target or enemy to lose money, clients and reputation when their websites and services stop working or crash from the attacks. The scripts and services are set up to request a huge amount of “date send to the host.

Do not worry. The experts are working on ways to reduce the ease of spoofing issue. For example, bug 2391 was reported to on May 7, 2013 and discussed through July 2, 2013 starting with: “ is an important resource. It would be good if people were not able to spoof it. Additionally, once signed we could perhaps use the timings in that zone to go from a first approximation of time, to a fully accurately set time.”

It gets a bit more technical after that, but we all understand that NTP reflection/amplification DDoS attacks have a global playground of unsecured embedded devices: smart phones, iPods, TomToms, Fitbits, Nintendo and other gaming consoles, digital camcorders, and Blue-Ray DVD recorders. The NTP reflection uses the monlist query that requests a list of the last 600 hosts who have connected to a server. Attackers using NTP reflection may attack its targets by sending a special packet that requests a leviathan of “date send” to the host. What is this? The send command puts the current date in the Date: field over and over and over and over.

A famous actress Mae West once said, “Too much of a good thing can be wonderful!” Maybe wonderful for the giver, but not for the receiver in a DDoS attack. The NTP reflection/amplification DDoS attack is one example. Check in with regularly. Our blogs, articles, case studies and social network updates aim to educate the world with the facts, trends, solutions, and proactive measures in regards to network security and especially in the area of DDoS defense. Join the conversation by asking questions or leaving comments on our blog and Facebook page. Contact us for help against DDoS at +1-866-989-9119.