Corero Network Security chief executive Ashley Stephenson told Out-Law.com that hackers are undertaking 'NTP amplification attacks' on businesses and that companies need to be aware that their servers may be being used to carry out attacks.
NTP amplification attacks exploit a vulnerability in how the global time standard for the internet operates. The 'network time protocol' (NTP) helps to "synchronise the clocks of computers over a network"
However, a vulnerability in how the protocol works allows hackers to send requests to unsecured NTP servers for details of what the recent IP addresses that have connected to those servers are. Hackers can use a spoof address when sending the request meaning that the response received from the NTP servers, which is often much greater in size than the request, can be directed at victims' addresses. Replicated, the sheer volume of traffic sent from NTP request responses can bring down websites and other systems operated by others.
NTP servers are sometimes operated by organisations unwittingly, meaning that they may not deploy security measures to block unauthenticated requests to those servers, Stephenson said.
He said that the NTP amplification attack, which is a type of distributed denial of service (DDoS) attack, can be used as a "smokescreen" by hackers to overload servers and disrupt firewall protections and make corporate systems vulnerable to other types of malicious attacks, which can be used to ultimately steal confidential business or personal information from those systems.
"The attack sounds super-sophisticated, but it's actually really simple," Stephenson said. "The attackers are compromising the essence of the internet to reflect it back on itself."
Stephenson said that organisations that operate NTP servers may be considered complicit in an NTP amplification attack if their servers are being used to launch hackers' attacks on others' systems. Businesses could be considered "careless" if they unwittingly leave their servers open to unauthenticated request traffic, he said.
If they are notified of the security weakness and fail to act to remedy the issue, however, they run the risk of being deemed to have acted negligently and leave themselves open to legal claims for damages from victims of cyber attacks where their servers have been used as part of that attack, he said.
"Negligence is the standard which would apply in the absence of a contractual relationship between the affected businesses," cyber liability and data breach insurance specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said.
"A DDoS attack on a business can cause significant business interruption. If an attack causes a business to be offline for a day, for example, the loss of revenue is likely to be significant. A cyber attack can also cause reputational damage to a business as there may be a public perception that data stored by that company is vulnerable to being compromised," he said.
"If an attack emanates from IT infrastructure operated by a business and that business fails to respond quickly and effectively or turns a blind eye to previous warnings, that business may find itself subject to a third party liability claim from the victim businesses. In addition to potentially significant damages for loss of revenue and reputational damage, the attack hosts may also be liable for the significant forensic costs the businesses victim to that cyber attack is likely to incur in the aftermath of an incident," Birdsey said.