DoS attacks that took down big game sites abused Web’s time-sync protocol

69 percent of all DDoS attack traffic by bit volume in the first week of January was the result of NTP reflection.
Black Lotus

Miscreants who earlier this week took down servers for League of Legends, EA.com, and other online game services used a never-before-seen technique that vastly amplified the amount of junk traffic directed at denial-of-service targets.

Rather than directly flooding the targeted services with torrents of data, an attack group calling itself DERP Trolling sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol (NTP). By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly amplify the firepower at their disposal. A spoofed request containing eight bytes will typically result in a 468-byte response to a victim, a more than 58-fold increase.

"Prior to December, an NTP attack was almost unheard of because if there was one it wasn't worth talking about," Shawn Marck, CEO of DoS-mitigation service Black Lotus, told Ars. "It was so tiny it never showed up in the major reports. What we're witnessing is a shift in methodology."

Read 4 remaining paragraphs | Comments