network is overwhelmed through an amplified UDP trac amount. This makes the regular traf-
fic unable to reach the victim and its supporting infrastructure.
Amplification attacks rely on a bandwidth cost disparity which exists between the web
resource of the victim and the hacker. After the cost disparity increases with the passage of
time due to multiple requests; a large influx of trac threatens the integrity of the networking
ecosystem. Small queries are sent in order to generate bigger responses so the hacker can get an
advantage. If a botnet is used to infect the IoT devices, the hacker multiplies such magnification
in such a way that all the bots generate these requests; the hacker not only exploits the new
trac but also becomes obfuscated.
It is important to understand that these amplification attacks dier from the DNS flood
attacks. As opposed to the latter, the amplification attacks are known for reflecting and
amplifying the trac from the unprotected DNS server; this greatly helps to cover the attack
and boosts its potency. Usually, amplification attacks try to use only those devices which have
lower bandwidth connections so they can generate several requests to servers. While the
devices create multiple requests to use with the extremely large DNS records; during all this, the
hacker modifies the address of the victim. Due to such amplification, the hacker can target big
IoT systems even with the lack of sucient resources.
To understand the NTP amplification, consider a simple example of a coee shop. A man
contacts the coee shop via a call. The man requests the shop to create an order for every-
thing on the menu and then informs him about the complete order. When the shop requests
a number to verify his identity, the man provides the number of the victim. Afterwards, the
victim keeps getting bombarded with a call which tells them about too much unneeded and
irrelevant information.
If you do not know what the NTP does then keep in mind that it is a protocol which facili-
tates the internal clocks of IoT devices to get synchronized. Thus, it holds a crucial standing in
the internet architecture. When hackers are able to exploit the NTP servers’ monlist command,
they can apply multiplication on the beginning request trac, thereby generating a big
response. By default, the monlist command is turned on, especially in out-dated devices and
creates a reply which consists of the previous 600 requests from the source internet protocol
addresses for the NTP server.
It is important to note here that a server request pertaining to the monlist having
600addresses, stored in the memory, maybe more than 200 times bigger in comparison to the
beginning request. Hence, if a hacker is able to use 1GB internet trac then they have the poten-
tial to bombard with an attack of 200+ GB. Following is how a standard NTP amplification
attack works in a few steps.
1. A botnet is used by the hacker for sending UDP packets where spoofed IP addresses are
linked to an NTP server; the monlist command is turned on in the server. Each packet’s
spoofed IP address refers to the victim’s actual IP address.
2. The NTP server gets requests from all the UDP packets via the monlist command,
generating a huge response.
3. The spoofed address gets a data-filled response from the server.
4. The target’s IP address gets the response while the supporting network ecosystem is
rendered ineective as the high trac overwhelms it, culminating in the denial of service
The attack makes it look like as if the trac is a legitimate one and is originating from
authentic servers. As a consequence, the mitigation of such trac is troublesome unless the actual
288 Internet of Things
Internet_of_Things_CH11_pp271-308.indd 288 9/3/2019 10:16:20 AM