DDOS using NTP explained

Share This:

DDOS using NTP explained.

The NTP method was noticed in late 2013 affecting online gaming industry such as Riot’s League of Legends.

Commonly attackers use botnets as their main tool for DDOS, however there are now many mechanisms in place to protect the business continuity and availability.
NTP is widely used to synchronise a computer to Internet time servers. Most common configuration is to use external NTP servers for redundancy, even if in-house ntp servers are used they still relay on external pools of open source or private NTP servers.
Time is crucial when it comes to data packets, distributed transactions and therefore integrity and availability.

NTP DDOS Attacks overview:

By manipulating the requests to make them appear as if they originated from the targeted servers, creates a “huge” amounts of traffic . A spoofed eight bytes result in a 468-byte response to a targeted system. Those packets find an easy way through targets firewall as ntp time syncs are not unusual. If that originates form a botnet of countless number of masqueraded nodes, targeted system becomes overwhelmed.

More info from other sources:

“During the first week of the year, NTP reflection accounted for about 69 percent of all DoS attack traffic by bit volume, Marck said. The average size of each NTP attack was about 7.3 gigabits per second, a more than three-fold increase over the average DoS attack observed in December. Correlating claims DERP Trolling made on Twitter with attacks Black Lotus researchers were able to observe, they estimated the attack gang had a maximum capacity of about 28Gbps.”


The NTP method first began to appear late last year. To bring down a server such as one running “League of Legends,” the attackers trick NTP servers into thinking they’ve been queried by the “League of Legends” server.
The NTP servers, thinking they’re responding to a legitimate query, message the “League of Legends” server, overloading it with as many as 100 gigabits per second (Gbps). That’s large even for a DDoS attack.
In this way, one small request to an NTP server can generate an enormous response capable of taking down even high-capacity websites.


Leave a comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.