In the last few weeks, services and games like League of Legends, Dota 2, Steam, and Twitch.tv have gone down for minutes or even hours as a result of denial of service attacks. What are attackers doing to bring these large services down, and how does it work?
Last year, attackers were using something called DNS reflection and amplification attacks. This year, attackers have moved onto something more insidious: NTP-based attacks. They work on the same basic principle: the attacker sends a small command to a bunch of open, available services on the internet, and those services reply with an answer that is as much as 200 times larger than the original request.
After a lot of chatter back and forth with some friends in system administration, the best real-world metaphor we could come up with was this: Imagine if you could order a stack of free catalogs with just a postcard. Then you found these mail-order services all over and sent each one a post card. On the postcard, though, you have someone else’s address.
Now, head over to the recipient’s home. They received thousands or tens of thousands of catalogs, on the same day, at the same time. They’ve been literally buried in catalogs for everything you can imagine and there was nothing they could do to stop it or defend against it. The worst part is, they can’t just turn away all the mail – they’ve got bills coming and a super important package on the way.
There are two things that, combined, make the attack insidious, easy to execute, and very powerful. While DNS amplification attacks return about eight times the information requested, NTP attacks come back with as much as 200 times the data, as mentioned above. This isn’t the biggest attack around, but there’s more to it.
NTP stands for Network Time Protocol. If you had any role in setting up your computer and you had to set the timezone, you probably noticed that your computer, regardless of operating system, had a spot to select which server to get its information from. Just about every computer, server, and even mobile device – any network device that keeps time – uses this protocol. It’s an innocent and often overlooked protocol.
As a result, on many servers the software operating that protocol is nearly four years old and in the time since then, attackers have become more clever. They’re always looking for vulnerable commands like these to run; NTP isn’t the first, nor will it be the last. They have access to bigger and bigger lists of vulnerable servers – gathered by networks of compromised computers and the like – to poke and prod. In all likelihood, the attack is probably as simple to execute as picking a target and running a pre-generated script.
The worst part is, just like the example guy with a house full of lawn mower part and lingerie catalogs above, there’s not much that services can do to defend against these attacks. The burden is on the administrators hosting all these other servers, the ones used in the attack, to keep their servers updated and secure. Simply updating the version of NTP or disabling this command will keep a server from becoming an accomplice.
This is a good time to make it clear that NTP itself isn’t a vulnerable protocol. Rather, a small, mostly unused part of the NTP protocol that has nothing to do with the protocol’s basic functionality and has since been patched out is the source of the problem, and that’s what the people running these servers have to do.
But then what can services like Steam and League of Legends do? The only real answer lies in capacity, which is a costly measure. These attacks end up topping 100 gigabits per second, which is enough to topple Steam – at least during a seasonal sale – and most other web-based services. Only places like Amazon and Google can really handle attacks like these right now. Big services can increase the amount of incoming data they can handle and, until the rest of the internet gets their servers working, that’s all they can do.