Today (March 26, 2014) Shadowserver added a new set of reports to all of those who have signed up to receive information about their networks. The report is the culmination of months of work figuring out how to reliably scan the Internet for potential Distributed Denial of Service (DDoS) amplification. We’ll have more on our general methodologies to come, but I wanted to take a moment to point out one specific report as it has the most “hits”.
Since it was the second (after DNS) to be widely used for DDoS, NTP was the next obvious choice for our scanning. If you are not familiar with the NTP DDoS attacks and the potential, CERT has a great post here: http://www.kb.cert.org/vuls/id/348126. Feel free to go read it, this post will be waiting when you return.
Our purpose in performing this scanning is to alert the network owners that they are potentially participating in devastating distributed denial of service attacks. While likely Quixotesque, our hope is that by notifying network owners of the risk these systems pose to the Internet as a whole, we will make the Internet a slightly safer place.
We have two links that are work referencing that will answer many questions about this new report and the project as a whole. The first page lays out the report format along with examples. Included is a note that one can verify our report with a simple command:
ntpq -c rv [ip]
The other page of interest, https://ntpscan.shadowserver.org/, includes overall statistics we’ve found to date with our scanning. Even if you have not received one of our reports, the fact that there are (at time of this writing) 4.6 million NTP servers out there readily available for DDoS purposes is appalling. Further, the fact that the US accounts for 1/4 of all of those servers is even more troubling.