Published on February 4, 2014
NTP Defense Mustafa Golam
Common NTP Attack Signature NTP amplification attacks work similar to UDP amplification attacks. The attacker sends a small packet with spoofed source information via UDP to the NTP server. This packet contains a command like ‘monlist’ which requests a a large amount of data from the NTP server. The NTP server sends this data to the spoofed source in the original small packet. In effect, a few bytes of data can generate megabytes worth of traffic. Fixing the Problem 1. update NTP to version 4.2.7. This removes the ‘monlist’ command. 2. You can disable querying via a configuration change: # grep -ai query /etc/ntp.conf # Prohibit general access to this service. restrict default ignore restrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery This will prevent your NTP server from being leveraged to launch DDoS attacks against other networks. 3. Enable NTP Autokey. Information can be in subsequent Slides. This is supported in version 4.2.6 or later. Check this Link: http://support.ntp.org/bin/view/Support/Configuring Autokey
NTP Reflection Over the last few weeks (26th Dec, 2013) Symantec has seen a significant spike in NTP reflection attacks across the Internet.
Notable cases (1) Tardis and Trinity College, Dublin Problem: Copies of a program called Tardis with thousands of copies around the world contacting the web server and obtaining a timestamp via HTTP. Solution: modify the web server configuration so as to deliver a customized version of the home page (greatly reduced in size) Return a bogus time value, which caused most of the clients to choose a different time server. Release version of Tardis to correct for this problem.
Notable cases (2) NETGEAR and the University of Wisconsin–Madison Problem: NETGEAR Hardcoded UWM’s NTP Servers’ address in their Product Line DG814, HR314, MR814 and RP614, counting total 707,147 gears who would send SNTP Request to those servers every second until they get response. It resulted peak traffic of 250,000 packets-persecond (150 megabits per second) by June, 2013. Solution: Firmware Code Update to query SNTP Agents to NETGEAR's own servers, poll only once every ten minutes, and give up after five failures. NETGEAR has donated 375,000 USD to the UWM. Similar Problem between ‘SMC and CSIRO’.
Notable cases (3) swisstime.ethz.ch and the Providers Problem: For over 20 years ETH Zurich has provided open access to the time server swisstime.ethz.ch for operational time synchronization. Due to excessive bandwidth usage, averaging upwards of 20 GB / day, it has become necessary to direct external usage to public time server pools,such as ch.pool.ntp.org. Misuse, caused mostly by IT-providers synchronizing their client infrastructures, has made unusually high demands on network traffic, thereby causing ETH to take effective measures. Solution: As of Fall 2012 the availability of swisstime.ethz.ch has been changed to Closed Access. Since beginning of July 2013 access to the server is blocked entirely for the ntp protocol.
Notable cases (3) D-Link and Poul-Henning Kamp Problem: Poul-Henning Kamp was manager of Danish Str1 NTP server . By convention, Stratum 1 time servers should only be used by applications requiring extremely precise time measurements, such as scientific applications or Stratum 2 servers with a large number of clients. PHK observed a huge rise in traffic and discovered that between 75 and 90% was originating with D-Link's router products. Kamp contacted D-Link in November 2005, hoping to get them to fix the problem and compensate him for the time … … Solution: After going public, Kamp realized that D-Link routers were directly querying other Stratum 1 time servers, violating the access policies of at least 43 of them in the process. .. On April 27, 2006, D-Link and Kamp announced that they had "amicably resolved" their dispute…
Recent Attacks on Gaming Servers Mitigating 80 Gbps Attacks – NTP Amplification Attacks on the Rise: The recent wave of attacks on EA, Riot Games, Blizzard, Valve, and many others in the past few weeks have utilized a very uncommon attack technology. These attacks are similar in nature to DNS amplification attacks. Those attacks leveraged misconfigured DNS servers to launch very large attacks. We’re now faced with a similar situation with NTP. Ref: http://arstechnica.com/security/2014/01/new-dos-attacks-taking-downgame-sites-deliver-crippling-100-gbps-floods/ http://www.reddit.com/r/gaming/comments/1uacp8/derptrolling_is_c urrently_ddos_on_steam_and_ea/ http://thehackernews.com/2014/01/ddos-attack-NTP-server-reflectionprotection.html http://www.darkreading.com/attacks-breaches/attackers-wagenetwork-time-protocol-bas/240165063
What is NTP? NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network. If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection. NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.
Common NTP client problems (S)NTP server addresses hardcoded in the firmware of consumer networking devices. Generate query packets at short (less than 5 s) intervals until a response is received. Such grossly over-eager clients (particularly those polling once per second) commonly make up more than 50% of the traffic of public NTP servers, despite being a minuscule fraction of the total clients.
How do NTP reflection attacks work? Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:
ntpdc -c monlist [hostname] [root@server ~]# ntpdc -c monlist [hostname] remote address port local address count m ver code avgint lstint =============================================================================== localhost.localdomain 53949 127.0.0.1 172 0 0 0 tock.usshc.com 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 53 18.104.22.168 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 54 rook.slash31.com 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 55 eightyeight.xmission.c 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 56 Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module.
How can you protect your servers? The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely. If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file. This will disable access to mode 6 and 7 query packetts (which includes monlist). By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack. More Reading on NTP Security: http://www.eecis.udel.edu/~mills/security.html
Q&A?? Thank You!!
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...