NTP attacks continue – a quick look at traffic over the past few months

In February, Kirk Soluk’s post on NTP Attacks: Welcome to The Hockey Stick Era reported that we have seen a increase in NTP-based application attacks.   We thought we would take a few minutes to post an update on the state of traffic metrics.

The graphs below are depicting aggregate traffic based on the NTP network port (123).  The first graph shows observed NTP traffic via UDP since December of 2013 until early March.


You can see that the observed traffic increase started at the end of 2013 and increased to nearly 800Gb/s in early March across the participants of Arbor Network’s ATLAS  system.   Let us dive in a little closer.


Looking at the late January until early March timeframe, we can see the increase continues with February’s NTP/UDP bandwidth traffic being fairly sustained, approaching and exceeding 400Gb/s most days.   It appears that as we get into March the bandwidth of NTP traffic is waining slightly, but remains at 300Gb/s on most days, far above the 50Gb/s even in late January.   March 04 was a significantly troublesome day as traffic peeked at nearly 800Gb/s on that day shortly before midnight UTC.


To see where traffic typically is, let’s take a look at one more graph, showing the level of traffic in late 2013 before the campaigns began.


Here you can get a view of what the NTP/UDP traffic was, hovering around one to two (1-2) Gb/s of time sync traffic in early December.

To learn more about defending your network against NTP-based attacks, we recommend attending the upcoming Arbor Webinar on Friday, March 14th at 3pm UTC /11am EDT, entitled ‘Too Much Time on My Hands:  Network-Scale Mitigation of NTP DDoS Attacks,’ presented by Arbor’s Roland Dobbins, Senior ASERT Analyst, and Ben Fischer, Product Marketing Manager.