Recent denial-of-service attacks taking down League of Legends and other popular gaming services are doing more than just wielding a rarely-seen technique to vastly amplify the amount of junk traffic directed at targets. In at least some cases, their devastating effects can deprive celebrity game players of huge amounts of money.

As Ars reported last week, the attacks are abusing the Internet's Network Time Protocol (NTP), which is used to synchronize computers to within a few milliseconds of Coordinated Universal Time. A command of just 234 bytes is enough to cause some NTP servers to return a list of up to 600 machines that have previously used its time-syncing service. The dynamic creates an ideal condition for DoS attacks. Attackers send a modest-sized request to NTP servers and manipulate the commands to make them appear as if they came from one of the targeted gaming services. The NTP servers, which may be located in dozens or even hundreds of locations all over the world, in turn send the targets responses that could be tens or hundreds of times bigger than the spoofed request. The technique floods gaming servers with as much as 100Gbps, all but guaranteeing that they'll be taken down unless operators take specific precautions ahead of time.

Among the recent targets of this type of attack are game servers used by celebrity players who broadcast live video streams of their gaming prowess that are viewed as many as 50,000 times. In some cases, the massive audiences translate into tens of thousands of dollars per month, as ads are displayed beside video feeds of the players blowing away opponents in Dota 2 and other games.

"These people generate revenue using game servers, so when they're attacked it creates dramatic financial loss for them," said Matt Mahvi, CEO and founder of Staminus, a service that blocks more than 100,000 DoS attacks each month. "I can see that our customers were streaming [and] their game servers were being attacked. I'm seeing these massive, massive attacks that come in against our customers."

Mahvi said that over the past month or so the vast majority of DoS campaigns reaching 40Gbps and above have relied on NTP abuse. In the past, such "volumetric" attacks—meaning those that rely on massive volumes of data to overwhelm their targets—were mostly made possible through so-called DNS amplification techniques. This much older and better-known method allows attackers to magnify attacks by a factor of about eight. It works by sending IP lookup requests with spoofed source addresses to open domain name system servers, which in turn bombard targets with lengthy replies. Late last year, the NTP technique came into vogue, possibly as many DoS victims learned how to better defend against the DNS attacks.


Enlarge / A graph showing a 90-Gbps attack on one Staminus customer. Staminus CEO Matt Mahvi said some attacks approach or exceed 100 Gbps.
Staminus
"What we have is a situation where the very large volumetric attacks have a high tendency of being NTP-based floods right now," Mahvi said. "The second aspect to this is that whoever is doing this or has access to these floods seems to also have access to very, very large TCP based attacks as well. So what we're seeing is a flip between volumetric and high-packet per second attacks."

The result is a one-two punch. With floods approaching 100Gbps, they're among the bigger DoS attacks menacing the Internet (certainly bigger than the 65Gbps campaigns reported in late 2012 by Cloudflare, but smaller than the 300Gbps attacks that some ISPs experienced in the past year). In addition to the massive bandwidth, the attacks direct a crippling number of data packets at the targets. The torrents of syn-ack packets based on the transmission control protocol can bombard a server with an astounding 80 million packets per second. For context, Mahvi said, the Apache Web server will generally crash once it receives 500 packets per second, while the HTTP server Nginx will die at about 5,000 packets per second.

The combination of NTP attacks and TCP packets have been directed at a variety of Staminus customers in recent weeks, including including several popular top Minecraft servers and Minecraft celebrity streamers, whom Mahvi declined to identify by name. The player frequently streams his online playing in channels that attract huge numbers of viewers. Attacks that disrupt the player appear similar to those that recently targeted PhantomL0rd, a popular League of Legends player who regularly broadcasts his gameplay over Twitch TV.

The amount of amplification available through NTP-based attacks depends on several variables, including the specific server that's being abused and the command an attacker chooses. John Graham-Cumming, a researcher at DoS protection service Cloudflare, said typical attacks amplify a 234-byte request sent by an attacker into a response split across 10 packets that totals 4,460 bytes.

"That's an amplification factor of 19x, and because the response is sent in many packets, an attack using this would consume a large amount of bandwidth and have a high packet rate," Graham-Cumming wrote late last week. NTP Servers that are particularly popular could potentially do much more damage. Using the MON_GETLIST command to cause it to send the addresses of the past 600 computers that have interacted with the server, the amplification factor could reach about 206.

The Cloudflare blog post and a separate one from Staminus both strongly advise server operators to upgrade to NTP version 4.2.7p26 or later. Those versions have been patched against a weakness involving the MON_GETLIST command that's ripe for abuse. NTP server operators should also see this resource from Team Cymru.