Guide to NTP monlist Amplification Issues

What is Network Time Protocol?

NTP stands for Network Time Protocol (was first described in RFC 958), and it is an Internet protocol used to synchronize the clocks of computers to some time reference.

You can read more details about this protocol: http://en.wikipedia.org/wiki/Network_Time_Protocol

Description:

The UDP-based NTP protocol can be abused to amplify denial-of-service attack traffic. Servers and network devices running the NTP based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected denial-of-service (DRDoS) attack. Other proprietary NTP implementations may also be affected.

The attacker generates a large number of UDP packets with spoofed source IP address to make it appear the packets are coming from the intended target. These UDP packets are sent to Network Time Protocol servers (port 123) that support the MONLIST command.

How to verify if your server/device is vulnerable

These are some output examples:

# sudo nmap -sU -pU:123 -Pn -n --script=ntp-monlist 174.142.118.35
Starting Nmap 6.40 ( http://nmap.org ) at 2014-04-01 17:38 EDT
Nmap scan report for 174.142.118.35
Host is up.
PORT    STATE         SERVICE
123/udp open|filtered ntp
Nmap done: 1 IP address (1 host up) scanned in 7.12 seconds

Resolution:

To protect your server implement one of these instructions: 

1) Disable the ntpd service in your server. Is the easiest and the most effective solution.

2) Update ntpd to version 4.2.7p26 or greater.

3) Configure your firewall to perform egress filtering which may help mitigate attacks that use source IP spoofing. Refer to your product's documentation for instructions on how to perform egress filtering.

4) Disable status queries or restrict access in the ntpd configuration (ntp.conf).

References:

  1. http://www.kb.cert.org/vuls/id/348126
  2. http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
  3. http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
  4. http://www.prolexic.com/kcresources/white-paper/white-paper-snmp-ntp-chargen-reflection-attacks-drdos/An_Analysis_of_DrDoS_SNMP-NTP-CHARGEN_Reflection_Attacks_White_Paper_A4_042913.pdf
  5. http://en.wikipedia.org/wiki/Network_Time_Protocol
  6. http://www.ntp.org/ntpfaq/NTP-s-def.htm
  7. http://nmap.org/nsedoc/scripts/ntp-monlist.html
  8. http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/
  9. https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk