NTP amplification attack definition
An NTP amplification attack is a type of DDoS attack where the attacker relies on misconfigured or insecurely configured NTP servers that respond to requests from unauthorized sources in order to flood their victims with traffic. In NTP amplification attacks, hackers typically flood their targets with User Datagram Protocol (UDP) traffic, which makes the target unable to function properly.
As with most DDoS attacks, the victims of successful NTP amplification attacks can’t access regular traffic once the attack is finished.
Hackers conduct NTP amplification attacks by sending UDP data packets using a spoofed or fake IP address to a certain NTP server. All the UDP packets make requests to the NTP server that is targeted, which overwhelms the server as it is struggling to respond to all of them.
Once the NTP server responds to the fake IP address, the rest of the victim’s network infrastructure also gets overwhelmed, making the whole network unable to function as it should.
NTP amplification attack prevention
Disable monlist. Monlist is a vulnerability that can be found on an NTP server and that hackers use to conduct NTP amplification attacks. Thus, disabling the monlist command is a way to stop an NTP amplification attack. NTP servers that use 4.2.7 software and above have that command automatically disabled, so they won’t be so vulnerable to NTP amplification attacks.
Verification of source IP. Since attackers use spoofed IP addresses to overwhelm their victims with UDP traffic, rejecting internal traffic from spoofed IPs is a way to prevent them from doing so.
Use standard DDoS protection tools. Even though NTP amplification attacks are a type of DDoS attack, using standard DDoS protection tools or software might still help in preventing them nonetheless.