Technical Details Behind a 400Gbps NTP Amplification DDoS Attack

On February 13, 2014, Cloudflare mitigated a large-scale NTP amplification DDoS attack that targeted one of its customers and peaked at nearly 400Gbps. This was the largest such attack observed by them using this method. The attack leveraged 4,529 NTP servers running on 1,298 different networks to generate approximately 400Gbps of traffic. NTP amplification attacks exploit Network Time Protocol (NTP) servers that support the MONLIST command and allow source IP address spoofing. The high amplification factor allows a smaller number of NTP servers to generate very large attacks compared to DNS amplification attacks. Cloudflare has not published the full list of NTP servers involved in the attack but is reaching out to network operators to encourage them to restrict access to their NTP servers and disable the MONLIST command. Network administrators are advised to follow BCP38 and prevent source IP address spoofing on their networks, as well as check for open NTP servers that support the MONLIST command.