GPON

I ran into this technology while working, and I wanted to find out what it specifically is. To put it simply, it is one way of implementing optical networking. Below I will provide a very short introduction to this technology.

Gigabyte-capable Passive Optical Networking

Passive optical network consists of a central office node, called an optical line terminal (OLT), one or more user nodes, called optical network units (ONUs) or optical network terminals (ONTs), and the fibers and unpowered (passive) splitters between them. ONUs and ONTs are devices that terminate the optical network and present customer service interfaces to the user. The difference between those two is that ONT is usually connected to a customers own device (eg. wireless access point) within the customers apartment. Whereas ONU is connected to the internal network of a building through which the connection is forwarded to multiple apartments.

Active vs passive optical networking (fetched from wikipedia)

The passive optical splitters allow a single optical fiber to serve multiple customers. However, as you can see from the picture, passive splitter cannot sort data packets individually. All the packets are sent in broadcast manner. That is, every packet is forwarded to every device connected to that splitter. Those devices will then pick only the packets that are actually meant for them and discard the others.

There are multiple advantages for using GPON. For example, it supports 20 km service coverage. Such a long reach allows ISPs to reduce the number of network nodes and save money. Furthermore, with inexpensive passive splitters one fiber connection can be split up to 64 ONTs. Replacing old copper wires can be done in a cost effective way with this technology. Fast connections even up to 1Gbits/s will be available to consumers. GPON standard is technically capable of providing mainstream connection speeds of 2,49 Gbits/s downstream and 1,24 Gbits/s upstream.

All of the GPON connections I have ran into have been Fiber-To-The-Home solutions. The picture below to clarifies the meaning of  FTTH.

Red for optical fiber, yellow for ethernet/VDSL/ADSL (Fetched from Wikipedia)

Sources

http://www.slideshare.net/mansoor_gr8/gpon-fundamentals
https://en.wikipedia.org/wiki/Network_interface_device#ONT
https://en.wikipedia.org/wiki/Passive_optical_network
http://www.accton.com/Newspage.asp?sno=80

NTP DDoS

I came across this topic during work - a client reported he is being targeted by NTP DDoS attack. As I didn't know the technical details behind this, I wanted to find out.

NTP - Network Time Protocol

There are plenty of NTP servers all over the world. The purpose of them is to convey timekeeping information from primary time servers to secondary time servers and then to clients over the Internet. You can check which NTP server your computer uses from your clock settings:

To put it simply, NTP allows computers connected to the Internet to synchronize their clocks. 

Some NTP servers also support a monitoring service that enables administrators to query the server for a traffic count. This command, called monlist, sends the requester a list of the last 600 hosts that have connected to the server.

This can also be exploited in NTP amplification DDoS attack.

NTP amplification attack

NTP, like DNS, is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. This is why amplification attacks are dangerous, they are much easier to conduct than unamplified DDoS attacks. The query-to-response ratio in NTP amplification can be even more than 200:1. Theoretically this means that an attacker who controls 1 machine with 1Gbps output could direct over 200Gbps of traffic towards the target. That is equal to something like watching 10 000 HDTV channels simultaneously.

Technically NTP amplification is a type of reflection attack. The attacker repeatedly sends a traffic count query to NTP server, but changes the IP-address of the requester to the IP-address of the victim. This way the answers are directed to the victim, and he is flooded with information from the server. In practice this attack becomes very powerful when the attacker has control over several compromised computers and from them sends requests to multiple time servers at the same time.

However, you don't need to own a botnet to conduct NTP amplification attack. Basically anyone with a list of open NTP servers on the Internet can pull off this DDoS attack. He has to find out which of those servers support the monlist command, and that is not very hard. Common tools like Metasploit and NMAP have modules capable of doing that. Furthermore, Open NTP project aims to highlight open and exploitable NTP servers and get them patched, so one can find some information there too.

Mitigation

NTP and all other UDP-based amplification attacks rely on source IP address spoofing. If attackers weren't able to spoof the source IP address then they would only be able to DDoS themselves. Network operators should ensure that they are following BCP38 and prevent packets with spoofed source addresses from leaving their network. Furthermore, they should restrict access to their NTP servers and disable the MONLIST command.



I'm hoping to be able to test this attack in practice in an isolated environment laters...

References:

https://www.incapsula.com/ddos/attack-glossary/ntp-amplification.html
http://tools.ietf.org/html/rfc5905
http://openntpproject.org/
https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/

About

I am an information security professional and this is my learning diary.

The goal of this blog is to help me learn and improve myself. I use research done by other people, combine different information sources, and write as easy to understand articles as possible. By publicly writing about interesting topics, and trying to explain them clearly, I can effectively improve my own understanding on those subjects.

"If you can't explain it simply, you don't understand it well enough."
 - Albert Einstein

All seemingly complicated things are only combinations of many simple things.

That being said, check out what I wrote about the Feynman Technique.