SE·CU·RI·TY: procedures followed or measures taken to ensure the safety of a state or organization.

Internet Storm Center Infocon Status

Thursday, February 20, 2014

NTP Reflected DDoS


Definition of common terms used throughout the article are always the best place to start.  The two most important definitions to be able to understand this article in its entirety are that of NTP and DDoS.  NTP (Network Time Protocol) is a networking protocol that is shared among computer systems and data networks that provides time information synchronization among them.  The next definition, DDoS (Distributed Denial of Service) is a type of computer system and network exploitation “attack” where a malicious party attempts to flood a computer or network’s bandwidth in an attempt to render it unable to communicate.  The following article will be an attempt to educate and inform the readers of a rapidly growing and popular method of malicious attacks that can easily go un-noticed by the often times unaware offending party.

THREAT

     The recent rate at which these attacks are becoming more commonplace is alarming.  I have personal experience with these types of attacks and the needed steps to mitigate these types of threats.  The attack starts by a malicious party or parties deciding upon the target they would like to “attack”.  Once the target has been identified and their IP address obtained, the attacker(s) generate very large amounts of small 8-byte UDP “monlist query” packets that are sent to vulnerable or open NTP servers.  When these requests are sent to the NTP servers they are sent as spoofed sessions with a return IP address of the “target” the attacker(s) are intending to take down.  When the NTP server receives these requests it replies to each of the 8-byte “requests” with 400-byte “replies”.  As can be deduced from this math, as the number of 8-byte requests grows, so does the 400-byte replies by a 50:1 ratio.  The attacker(s) could for instance send 1 GB of traffic and the NTP servers return 50 GB of replies.

SOLUTIONS

     The NTP protocol uses UDP (User Datagram Protocol) port 123 as its destination port.  From the research that I have done the recommended plan to limit the impact and vulnerabilities of this type of attack is to update all NTP servers to a version of NTP which removes the “monlist” command, typically version 4.2.7 or later.  However, often times upgrading code is not an option immediately and the simplest solution is to block all traffic to a destination host with a UDP destination port of 123 for any source traffic.  For those hosts that NTP cannot be completely disabled for, there are other methods of limiting the traffic to specific trusted hosts that need NTP using Access Control Lists and authentication methods.  Also, there are restrictions that can be placed in the NTP server configuration file that will stop it from replying to NTP queries.

References:

http://www.ntp.org/
http://en.wikipedia.org/wiki/Network_Time_Protocol
http://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack
https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
https://isc.sans.org/forums/diary/NTP+reflection+attack/17300
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks


Posted by at

1 comment :

  1. Eric YangMarch 6, 2014 at 10:35 PM

    I like your posting regarding the DDOS. Several years ago, my company website was under DDOS attacked by a group called Anonymous. The website was paralyzed for two weeks. Fortunately, there were no data breached. After that, our server group folks have updated the firewall and web server security.

    ReplyDelete

Subscribe to: Post Comments (Atom)

Wikipedia

Search results