An amplification denial-of-service attack is an attack that exploits a server offering a service, such as DNS or NTP, to attack another victim server. The principle is simple: the attacker sends a request to the service, the response of which is very large. The attacker, by spoofing the request’s source IP address with the victim’s IP address, allows the response to be forwarded to the victim. In this way it manages to amplify the volume of traffic sent to the victim, since the response received by the victim is much greater than the request sent by the attacker. To saturate the victim’s bandwidth, the attacker often uses a botnet to route a large volume of traffic.
How the NTP Amplification Attack works
This threat takes advantage of the nature of the UDP protocol, which is the transport protocol in which ntp (port UDP / 123) works, which is not connection-oriented since it does not carry out the three-way handshake process as does the TCP protocol, the attacker can make false requests to the ntp service and even spoof the IP address so that the responses are amplified to other hosts, in this case victims.
One of the most interesting denial-of-service attacks has long been DNS response amplification. This technique takes advantage of several factors to generate unsolicited traffic in a “lawful” way, that is, it does not take advantage of machine infection but of the lack or careless configuration of third-party DNS servers.
It is enough to do a random scan on port 53 to detect DNS servers and a small test to determine that these DNS servers respond or generate a recursive query on third party domains. A query on a domain can generate a response up to 50 times greater than the request. That is, you spend 10 bytes in a request and the server could return up to 500 bytes. You already have the traffic generation.
To mitigate this attack, or at least that our ntp servers are not part of a DDoS attack with ntp reflection, we must update the version of the ntp where the monlist functionality is disabled by default, or if it is not possible to update, add the directive noquery to our configuration file.
Also check:
Avaddon, the ransomware that uses DDoS attacks
Gafgyt is a botnet that uses Mirai DDoS modules
Ping of Death, One of the first threats on the net
