Analyzing Network Time Protocol (NTP) Based Amplification DDoS Attack and its Mitigation Techniques

Abstract

Network Time Protocol amplification attack is a form of distributed denial-of-service (DDoS) attack in which an attacker exploits or sends a request to a vulnerable NTP server by using their IP address to flood a targeted network or server with an overwhelming volume of User Datagram Protocol (UDP) traffic. In the past, the techniques that involved reflecting traffic off NTP servers to the victim, with the attacker hiding their identity by spoofing the source IP address were carried out using mainly Domain Name Server (DNS) servers but the use of vulnerable NTP servers as reflectors in DDoS attacks has gain lot of popularity since 2014, and this is as a result of the realization of high amplification scale that NTP servers can provide. This type of reflector attack maximized the use of the amplification factor of NTP servers to magnify the attack bandwidth, making it particularly disruptive and difficult to mitigate. Since NTP amplification is not a popularly known attack and there has not been much thorough research on it, this paper explores a holistic overview of NTP amplification attacks, how NTP is used for DDoS attacks, and the overall method that can be used to mitigate such attacks. Keywords: Distributed Denial-of-Service (DDoS) attack, DNS servers, NTP servers