In October 2013, Cisco TRAC discussed Network Time Protocol (NTP) as a possible vector for amplified distributed denial of service (DDoS) attacks. Litnet CERT has since revealed that their NTP servers were used in a denial of service (DoS) attack. Symantec also published information regarding an NTP amplification-based DDoS attack that occurred in December 2013. On December 7, 2013, a hackforums.net user posted an NTP amplification DDoS script to Pastebin. The NTP DDoS script is heavily obfuscated Perl, though the plain text at the top credits the "leaking" of the script to an individual who goes by the handle Starfall. Brian Krebs also mentioned someone going by the name Starfall as a paying user of booter.tw. They may be the same person.

Decoding the obfuscated Perl yields some interesting insights. For example, this code near the top of the script has nothing to do with the NTP DDoS functionality:

The code above downloads a program calledspoof.plfrom IP 84.33.192.46, then runs and erases that program while writing the text "j00 g0t 0wn3d s0n" into a hidden file. Unfortunately, we were unable to obtain a copy of thespoof.plscript, but the ominous "j00 g0t 0wn3d s0n" text indicates the purpose of the program was likely to compromise the machine of anyone who was running the obfuscated NTP DDoS script. Is there no honor among hackers?

The remaining portion of the de-obfuscated Perl script contains an array of 220 vulnerable NTP servers that are used for amplification-based DDoS. After searching on pieces of the script's de-obfuscated source, we found other versions of the NTP DDoS script which lacked the "j00 g0t 0wn3d s0n" code, but instead were bundled with code for an IRC client that connects to a server and listens for DDoS commands. In one primitive version of the IRC-based NTP DDoS script that predates the December 7 Pastebin entry, the IRC server setting is "666.0