Fortinet, Inc.
MITIGATION OF NTP AMPLIFICATION AND REFLECTION BASED DDOS ATTACKS

Abstract:

Systems and methods for mitigating DDoS attacks utilizing NTP are provided. According to one embodiment, a tracking table is maintained by a network security device protecting a private network. The tracking table contains information regarding NTP requests originated by clients of the private network and observed by the network security device. An NTP request sent from a client to an NTP server external to the private network is intercepted by the network security device. An NTP request flooding attack on the NTP server by the first client is mitigated by the network security device by: (i) determining based on the tracking table whether a prior NTP request directed to the NTP server and for which an NTP response has yet to be received was sent by the client within a predetermined or configurable time period of the NTP request; and (ii) when said determining is affirmative, dropping the NTP request.