June 11, 2015

NTP DDoS


I came across this topic during work - a client reported he is being targeted by NTP DDoS attack. As I didn't know the technical details behind this, I wanted to find out.

NTP - Network Time Protocol

There are plenty of NTP servers all over the world. The purpose of them is to convey timekeeping information from primary time servers to secondary time servers and then to clients over the Internet. You can check which NTP server your computer uses from your clock settings:


To put it simply, NTP allows computers connected to the Internet to synchronize their clocks. 

Some NTP servers also support a monitoring service that enables administrators to query the server for a traffic count. This command, called monlist, sends the requester a list of the last 600 hosts that have connected to the server.

This can also be exploited in NTP amplification DDoS attack.

NTP amplification attack

NTP, like DNS, is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. This is why amplification attacks are dangerous, they are much easier to conduct than unamplified DDoS attacks. The query-to-response ratio in NTP amplification can be even more than 200:1. Theoretically this means that an attacker who controls 1 machine with 1Gbps output could direct over 200Gbps of traffic towards the target. That is equal to something like watching 10 000 HDTV channels simultaneously.

Technically NTP amplification is a type of reflection attack. The attacker repeatedly sends a traffic count query to NTP server, but changes the IP-address of the requester to the IP-address of the victim. This way the answers are directed to the victim, and he is flooded with information from the server. In practice this attack becomes very powerful when the attacker has control over several compromised computers and from them sends requests to multiple time servers at the same time.

However, you don't need to own a botnet to conduct NTP amplification attack. Basically anyone with a list of open NTP servers on the Internet can pull off this DDoS attack. He has to find out which of those servers support the monlist command, and that is not very hard. Common tools like Metasploit and NMAP have modules capable of doing that. Furthermore, Open NTP project aims to highlight open and exploitable NTP servers and get them patched, so one can find some information there too.

Mitigation

NTP and all other UDP-based amplification attacks rely on source IP address spoofing. If attackers weren't able to spoof the source IP address then they would only be able to DDoS themselves. Network operators should ensure that they are following BCP38 and prevent packets with spoofed source addresses from leaving their network. Furthermore, they should restrict access to their NTP servers and disable the MONLIST command.



I'm hoping to be able to test this attack in practice in an isolated environment laters...


References:

https://www.incapsula.com/ddos/attack-glossary/ntp-amplification.html
http://tools.ietf.org/html/rfc5905
http://openntpproject.org/
https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/

No comments :

Post a Comment