During the last few months, we’ve seen an increased amount of NTP amplification attacks. It’s an attack technique, similar to the previous wave of DNS amplification attacks, mostly used by script kiddies (but also by black hats) to take sites/servers offline.
The technique behind of the attack is pretty simple; using public NTP servers, the attacker sends a request and spoof the source address. This makes NTP server respond to the the target server (instead of the real source). Using a large network of NTP servers, the vast volume of these responses will then likely knock the site/servers offline.
Unfortunately there are plenty of public NTP servers out there that are exposed to this vulnerability.
Protecting yourself from DDoS attacks in general is a tricky subject. At CloudSigma, we already have DDoS mitigation built into our cloud. While that goes a long way, if you’re a high-profile target, you might also want to look into external services like CloudFlare for extra protection.
If you’re running a public NTP server, you really need to make sure that you’re not exposed to this vulnerability. The easiest way to check this is to use the ntp-monlist plugin for Nmap and run a scan against your servers.
An easier solution is of course not to make your NTP servers public.
If you want to learn more about this topic, the following articles might be a good starting point: