Hack attacks battled by net's timekeepers

League of Legends screenshot Login servers for online game League of Legends were hit by attacks abusing net time servers

Related Stories

A massive worldwide effort is under way to harden the net's clocks against hack attacks.

The last few months have seen an "explosion" in the number of attacks abusing unprotected time servers, said security company Arbor.

Unprotected network time servers can be used to swamp target computers with huge amounts of data.

About 93% of all the vulnerable servers are now believed to have been patched against attacks.

'Appropriate' use

The attack that paved the way for the rapid rise was carried out by the Derp Trolling hacker group and was aimed at servers for the popular online game League of Legends, said Darren Anstee, a network architect at net monitoring firm Arbor.

That attack took advantage of weaknesses in older versions of the software underlying the network time protocol (NTP). Known as an "NTP reflection" attack, it used several thousand poorly configured computers handling NTP requests to send data to the League of Legend servers.

Around the world about 1.6 million NTP servers were thought to be vulnerable to abuse by attackers, said Harlan Stenn from the Network Time Foundation that helped co-ordinate action to harden servers.

Precise timings are very important to the steady running of the net and many of the services, such as email and e-commerce, that sit on it.

Early 2014 saw the start of an Open NTP initiative that tried to alert people running time servers to the potential for abuse, Mr Stenn told the BBC.

Now, he said, more than 93% of those vulnerable servers had been updated. However, he said, this did leave more than 97,000 still open to abuse. Arbor estimates that it would take 5,000-7,000 NTP servers to mount an overwhelming attack.

Server room Without precise timings it would be hard to co-ordinate the passage of data on the internet

The feature that attackers had exploited had been known for a long time in the net time community and was not a problem as long as those servers were used "appropriately", he said.

"This was before spammers, and well before the crackers started using viruses and malware to build bot armies for spamming, phishing, or DDoS attacks," he said.

Distributed Denial of Service (DDoS) attacks are those that try to shut servers down by overwhelming them with data.

The success of the Derp Trolling attack prompted a lot of copycat activity, said Mr Anstee from Arbor.

"Since that event it's gone a bit nuts to an extent and that tends to happen in the attack world when one particular group succeeds," he said. "We've seen an explosion in NTP reflection activity."

NTP reflection attacks can generate hundreds of gigabits of traffic every second, said Mr Anstee, completely overwhelming any server they are aimed at.

The copycat attacks have fed into a spike in the number of "large events", mainly DDoS attacks, that Arbor sees hitting the net, he said.

"Historically we used to see a couple of hundred gigabit events every year," said Mr Anstee. "In February 2014 we tracked 43."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Getty Images)

How movie dinosaurs lied to us

What’s wrong with cinema’s monster lizards Read more...

Programmes

  • Traffic lightsClick Watch

    From hacking cars to traffic lights - behind the scenes at a cyber-security conference

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.