Hack attacks battled by net's timekeepers By Mark Ward

Technology correspondent, BBC News Published duration 20 March 2014

image copyright Riot Games image caption Login servers for online game League of Legends were hit by attacks abusing net time servers

A massive worldwide effort is under way to harden the net's clocks against hack attacks.

The last few months have seen an "explosion" in the number of attacks abusing unprotected time servers, said security company Arbor.

Unprotected network time servers can be used to swamp target computers with huge amounts of data.

About 93% of all the vulnerable servers are now believed to have been patched against attacks.

'Appropriate' use

The attack that paved the way for the rapid rise was carried out by the Derp Trolling hacker group and was aimed at servers for the popular online game League of Legends, said Darren Anstee, a network architect at net monitoring firm Arbor.

That attack took advantage of weaknesses in older versions of the software underlying the network time protocol (NTP). Known as an "NTP reflection" attack, it used several thousand poorly configured computers handling NTP requests to send data to the League of Legend servers.

Around the world about 1.6 million NTP servers were thought to be vulnerable to abuse by attackers, said Harlan Stenn from the Network Time Foundation that helped co-ordinate action to harden servers.

Precise timings are very important to the steady running of the net and many of the services, such as email and e-commerce, that sit on it.

Early 2014 saw the start of an Open NTP initiative that tried to alert people running time servers to the potential for abuse, Mr Stenn told the BBC.

Now, he said, more than 93% of those vulnerable servers had been updated. However, he said, this did leave more than 97,000 still open to abuse. Arbor estimates that it would take 5,000-7,000 NTP servers to mount an overwhelming attack.

image copyright AP image caption Without precise timings it would be hard to co-ordinate the passage of data on the internet

The feature that attackers had exploited had been known for a long time in the net time community and was not a problem as long as those servers were used "appropriately", he said.

"This was before spammers, and well before the crackers started using viruses and malware to build bot armies for spamming, phishing, or DDoS attacks," he said.

Distributed Denial of Service (DDoS) attacks are those that try to shut servers down by overwhelming them with data.

The success of the Derp Trolling attack prompted a lot of copycat activity, said Mr Anstee from Arbor.

"Since that event it's gone a bit nuts to an extent and that tends to happen in the attack world when one particular group succeeds," he said. "We've seen an explosion in NTP reflection activity."

NTP reflection attacks can generate hundreds of gigabits of traffic every second, said Mr Anstee, completely overwhelming any server they are aimed at.

The copycat attacks have fed into a spike in the number of "large events", mainly DDoS attacks, that Arbor sees hitting the net, he said.