Guide to NTP monlist Amplification Issues

What is Network Time Protocol?

NTP stands for Network Time Protocol (was first described in RFC 958), and it is an Internet protocol used to synchronize the clocks of computers to some time reference.

You can read more details about this protocol: http://en.wikipedia.org/wiki/Network_Time_Protocol

Description:

The UDP-based NTP protocol can be abused to amplify denial-of-service attack traffic. The attacker generates a large number of UDP packets to the NTP server (on port 123) with a spoofed source IP address to saturate a target with NTP replies. Some NTP installations also support the MONLIST command which has a important amplification factor and cause more saturation. Exposing publicly your NTP service might also allow hackers to gather information about your server to prepare an attack.

How to verify if your server/device is vulnerable

You can verify if the NTP service is exposed and if the monlist command is activated using the following command as root:

# sudo nmap -sU -pU:123 -Pn -n --script=ntp-monlist <server-IP>

Output example:

PORT    STATE SERVICE
123/udp open  ntp
| ntp-monlist:
|   Public Clients (120)
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
|       xx.xx.xx.xx    xx.xx.xx.xx   xx.xx.xx.xx   xx.xx.xx.xx   
[...]

The following website and commands can also provide additional details about the exposed NTP service:

https://w3dt.net/tools/ntpq

# sudo ntpq -crv <server-IP>
# sudo ntpdc -c sysinfo <server-IP>

Resolution:

To protect your server implement one of these solutions: 

1) Disable the ntpd service if you are not using it. Is the easiest and the most effective solution.

2) Restrict access to the service in the ntpd configuration (ntp.conf).

3) Configure your firewall to block incoming connections to the NTP service (UDP port 123) or restrict the access only from authorized endpoints.

 

References:

  1. http://www.kb.cert.org/vuls/id/348126
  2. https://www.us-cert.gov/ncas/alerts/TA14-017A
  3. http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
  4. http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
  5. http://www.prolexic.com/kcresources/white-paper/white-paper-snmp-ntp-chargen-reflection-attacks-drdos/An_Analysis_of_DrDoS_SNMP-NTP-CHARGEN_Reflection_Attacks_White_Paper_A4_042913.pdf
  6. http://en.wikipedia.org/wiki/Network_Time_Protocol
  7. http://www.ntp.org/ntpfaq/NTP-s-def.htm
  8. http://nmap.org/nsedoc/scripts/ntp-monlist.html
  9. http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/
  10. https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk