In the last few weeks, services and games like League of Legends, Dota 2, Steam, and Twitch.tv have gone down for minutes or even hours as a result of denial of service attacks. What are attackers doing to bring these large services down, and how does it work?
Last year, attackers were using something called DNS reflection and amplification attacks. This year, attackers have moved onto something more insidious: NTP-based attacks. They work on the same basic principle: the attacker sends a small command to a bunch of open, available services on the internet, and those services reply with an answer that is as much as 200 times larger than the original request.
After a lot of chatter back and forth with some friends in system administration, the best real-world metaphor we could come up with was this: Imagine if you could order a stack of free catalogs with just a postcard. Then you found these mail-order services all over and sent each one a post card. On the postcard, though, you have someone else’s address.
Now, head over to the recipient’s home. They received thousands or tens of thousands of catalogs, on the same day, at the same time. They’ve been literally buried in catalogs for everything you can imagine and there was nothing they could do to stop it or defend against it. The worst part is, they can’t just turn away all the mail – they’ve got bills coming and a super important package on the way.
There are two things that, combined, make the attack insidious, easy to execute, and very powerful. While DNS amplification attacks return about eight times the information requested, NTP attacks come back with as much as 200 times the data, as mentioned above. This isn’t the biggest attack around, but there’s more to it.
NTP stands for Network Time Protocol. If you had any role in setting up your computer and you had to set the timezone, you probably noticed that your computer, regardless of operating system, had a spot to select which server to get its information from. Just about every computer, server, and even mobile device – any network device that keeps time – uses this protocol. It’s an innocent and often overlooked protocol.
As a result, on many servers the software operating that protocol is nearly four years old and in the time since then, attackers have become more clever. They’re always looking for vulnerable commands like these to run; NTP isn’t the first, nor will it be the last. They have access to bigger and bigger lists of vulnerable servers – gathered by networks of compromised computers and the like – to poke and prod. In all likelihood, the attack is probably as simple to execute as picking a target and running a pre-generated script.
The worst part is, just like the example guy with a house full of lawn mower part and lingerie catalogs above, there’s not much that services can do to defend against these attacks. The burden is on the administrators hosting all these other servers, the ones used in the attack, to keep their servers updated and secure. Simply updating the version of NTP or disabling this command will keep a server from becoming an accomplice.
This is a good time to make it clear that NTP itself isn’t a vulnerable protocol. Rather, a small, mostly unused part of the NTP protocol that has nothing to do with the protocol’s basic functionality and has since been patched out is the source of the problem, and that’s what the people running these servers have to do.
But then what can services like Steam and League of Legends do? The only real answer lies in capacity, which is a costly measure. These attacks end up topping 100 gigabits per second, which is enough to topple Steam – at least during a seasonal sale – and most other web-based services. Only places like Amazon and Google can really handle attacks like these right now. Big services can increase the amount of incoming data they can handle and, until the rest of the internet gets their servers working, that’s all they can do.
The Galaxy S20 Ultra's Space Zoom camera is amazing and a bit creepy
The Galaxy S20 Ultra supports up to 100X zoom, which Samsung calls Space Zoom, but is it any good? Can a phone really product usable photos at 100x zoom? We've got our Galaxy S20 Ultra already so join us to find out!
Win an iPhone, iPad and Apple Watch with the Reader's Choice giveaway!
What's the best phone of 2019? Is it the iPhone 11 Pro, Pixel 4 or OnePlus 7T? What about the best laptop, games console, tablet and more? Vote NOW in the Reader's Choice awards and win BIG in time for the holidays!
Here are the best products from IFA 2019!
Here are the products announced at IFA 2019 that were worthy of our Best of IFA 2019 awards. Also featuring MrMobile's single best product at the show!
The Dungeons and Dragons loot you always wanted
These are the accessories you need to be at the most prepared D&D player at your table.