NTP DoS reflection attacks
Over the last few years there's been a significant increase of a specific amplified Distributed Reflection Denial of Service attacks. In addition to Internet Protocol address spoofing these attacks mostly exploit old and unprotected internet services that enable unauthenticated (connectionless) clients to receive bigger responses hence amplifying the traffic. Perhaps the most common examples are open DNS resolvers and public unauthenticated SNMP servers that became instrumental in large targeted DDoS attacks.
As global networks continue to grow and become more complex risks are greatly increasing. By disabling and/or restricting unnecessary and potentially unsafe functionality of such services system administrators can help to eliminate these inherent vulnerabilities in their networks and thus contribute to global network security. In LITNET we recently observed a very interesting NTP attack following the mentioned pattern during which enormous amounts of data was being sent from our stratum 1/2 NTP servers:
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes
2013-10-21 08:21:17.630 147.610 UDP X.X.X.X:123 -> Y.Y.Y.Y:25565 ...... 0 2.4 M 1.1 G
2013-10-21 08:21:17.630 147.600 UDP Y.Y.Y.Y:25565 -> X.X.X.X:123 ...... 128 24100 867600
There seems to be very little relevant information on this amplification+reflection NTP attack type in the internet. After a little research it turned out that it was utilizing 'monlist' query which is a built-in monitoring function providing a history of recent NTP clients. During the attack huge amounts of small spoofed 8-byte UDP packets are sent to the vulnerable (or rather "open") NTP server in which it responds with a proper DoS. Currently the best available solution is to update to NTP 4.2.7p26 for which the support of 'monlist' query has been removed in favor of new safe 'mrunlist' function which uses a nonce value ensuring that received IP address match the actual requester. After upgrading our NTP servers the attacks stopped. Even though it's a tiny little function of NTP it effectively enabled attacker to exploit our server. Therefore if you happen to manage a public NTP server this update is highly recommended.
By executing commands below you can test if your local NTP server is vulnerable:
ntpq -c rv
ntpdc -c sysinfo
ntpdc -n -c monlist
It can also be checked using nmap's NSE script ntp-monlist:
nmap -sU -pU:123 -Pn -n --script=ntp-monlist ntp.server.com
If update is not possible at the moment another workaround is to completely disable status queries by adding these lines to /etc/ntp.conf (configuration can be extended to restrict these features per network segment):
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
Such attacks are usually intensified by using many vulnerable servers at the same time. These servers can be thought of as passive botnet members since attacker can passively gather large lists of them. More importantly apart from NTP which is a well-known protocol there's an open question about many exposed proprietary protocols that are not so popular but could be vulnerable to this particular attack type.