EA's Origin service, Blizzard's Battle.net, League of Legends and others suffered a distributed denial-of-service or DDoS attack was using a virtually unheard of method and somehow proven potent. The methodology provides 5800 per cent return of investment to DDoS attacker while straining the victim's server.

Unique DDoS Attack

DERP is what the group calls itself and tools out "Gaben Laser Beam" which have used the Network Time Protocol or NTP to carry out its attacks that took down multiple gaming servers including League of Legends, EA.com and Battle.net from Blizzard.

Instead of directly flooding targeted services with torrents of data, DERP sent much smaller sized data requests to time-synchronisation servers running the NTP. By manipulating the requests to make them appear as if originally from the gaming servers, attackers were able to vastly amplify firepower at their disposal. A spoofed request containing eight bytes will typically have a result of 468-byte to a victim.

It is an effective strategy for DDoS attackers to get more than 5800 per cent of return on their investment by sending fake request in such a small quantity and straining the victim's server.

"Prior to December, an NTP attack was almost unheard of because if there was one it wasn't worth talking about. It was so tiny it never showed up in the major reports. What we're witnessing is a shift in methodology," said by CES of DoS-mitigation service Shawn Marck of Black Lotus.

Around 69 per cent of DoS attack traffic are reflection of NTP and the average size of each NTP attack was about 7.3 gigabits per second in the first week of 2014. It is three-fold larger than the average DoS attacks observed in December 2013.

Network Time Protocol

NTP is a networking protocol for clock synchronisation between computer systems over data networks. It is susceptible to man-in-the-middle attacks unless packets are cryptographically signed for authentication.

Due to the complex configuration and importance of NTP on servers for very precise time increments, it was found vulnerable against exploitation by DoS attackers. However, NTP-amplification attacks are relatively easy to repel since all NTP traffic can be blocked with few negative consequences, if any.

Unfortunately, mitigation of other types of DoS attacks are harder than it seems for engineers must first work to distinguish legitimate data from traffic designed to bring down the site.

Black Lotus recommends obedience on several practices to block the effects of NTP-based attacks including traffic policers to limit amount of NTP traffic, implementation of large-scale DDoS mitigation systems or opting for service-based approaches that provide several gigabits of standby capacity used during DDoS attacks.