NTP Defense

Mustafa Golam

NTP amplification attacks work similar to UDP amplification attacks. The attacker sends a small packet with spoofed source information via UDP to the NTP server. This packet contains a command like ‘monlist’ which requests a a large amount of data from the NTP server. The NTP server sends this data to the spoofed source in the original small packet. In effect, a few bytes of data can generate megabytes worth of traffic.

Common NTP Attack Signature

Fixing the Problem 1. update NTP to version 4.2.7.

This removes the ‘monlist’ command.

2. You can disable querying via a configuration change:

# grep -ai query /etc/ntp.conf# Prohibit general access to this service.restrict default ignorerestrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery

This will prevent your NTP server from being leveraged to launch DDoS attacks against other networks.

3. Enable NTP Autokey. Information can be in subsequent Slides. This is supported in version 4.2.6 or later.Check this Link:http://support.ntp.org/bin/view/Support/ConfiguringAutokey

NTP Reflection

Over the last few weeks (26th Dec, 2013) Symantec has seen a significant spike in NTP reflection attacks across the Internet.

Tardis and Trinity College, Dublin Problem:

Copies of a program called Tardis with thousands of copies around the world contacting the web server and obtaining a timestamp via HTTP.

Solution: modify the web server configuration so as to deliver

a customized version of the home page (greatly reduced in size)

Return a bogus time value, which caused most of the clients to choose a different time server.

Release version of Tardis to correct for this problem.

Notable cases (1)

NETGEAR and the University of Wisconsin–Madison Problem:

NETGEAR Hardcoded UWM’s NTP Servers’ address in their Product Line DG814, HR314, MR814 and RP614, counting total 707,147 gears who would send SNTP Request to those servers every second until they get response. It resulted peak traffic of 250,000 packets-per-second (150 megabits per second) by June, 2013.

Solution: Firmware Code Update to query SNTP Agents to NETGEAR's

own servers, poll only once every ten minutes, and give up after five failures.

NETGEAR has donated 375,000 USD to the UWM. Similar Problem between ‘SMC and CSIRO’.

Notable cases (2)

swisstime.ethz.ch and the Providers Problem: For over 20 years ETH Zurich has provided open access to the time

server swisstime.ethz.ch for operational time synchronization. Due to excessive bandwidth usage, averaging upwards of 20 GB /

day, it has become necessary to direct external usage to public time server pools,such as ch.pool.ntp.org. 

Misuse, caused mostly by IT-providers synchronizing their client infrastructures, has made unusually high demands on network traffic, thereby causing ETH to take effective measures.

Solution: As of Fall 2012 the availability of swisstime.ethz.ch has been

changed to Closed Access. Since beginning of July 2013 access to the server is blocked

entirely for the ntp protocol.

Notable cases (3)

D-Link and Poul-Henning Kamp Problem: Poul-Henning Kamp was manager of Danish Str1 NTP server . By convention, Stratum 1 time servers should only be used by applications

requiring extremely precise time measurements, such as scientific applications or Stratum 2 servers with a large number of clients.

PHK observed a huge rise in traffic and discovered that between 75 and 90% was originating with D-Link's router products.

Kamp contacted D-Link in November 2005, hoping to get them to fix the problem and compensate him for the time … …

Solution: After going public, Kamp realized that D-Link routers were directly querying

other Stratum 1 time servers, violating the access policies of at least 43 of them in the process. ..

On April 27, 2006, D-Link and Kamp announced that they had "amicably resolved" their dispute…

Notable cases (3)

Mitigating 80 Gbps Attacks – NTP Amplification Attacks on the Rise: The recent wave of attacks on EA, Riot Games, Blizzard, Valve, and many

others in the past few weeks have utilized a very uncommon attack technology. These attacks are similar in nature to DNS amplification attacks. Those attacks leveraged misconfigured DNS servers to launch very large attacks. We’re now faced with a similar situation with NTP.

Ref: http://arstechnica.com/security/2014/01/new-dos-attacks-taking-down-ga

me-sites-deliver-crippling-100-gbps-floods/

http://www.reddit.com/r/gaming/comments/1uacp8/derptrolling_is_currently_ddos_on_steam_and_ea/

http://thehackernews.com/2014/01/ddos-attack-NTP-server-reflection-protection.html

http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063

Recent Attacks on Gaming Servers

What is NTP?

NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network.  If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.

NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that.  Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.

(S)NTP server addresses hardcoded in the firmware of consumer networking devices.

Generate query packets at short (less than 5 s) intervals until a response is received.

Such grossly over-eager clients (particularly those polling once per second) commonly make up more than 50% of the traffic of public NTP servers, despite being a minuscule fraction of the total clients.

Common NTP client problems

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. 

In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:

How do NTP reflection attacks work?

[root@server ~]# ntpdc -c monlist [hostname]remote address          port local address      count m ver code avgint  lstint===============================================================================localhost.localdomain  53949 127.0.0.1              1 7 2      0      0       0tock.usshc.com           123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      53198.52.198.248           123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      54rook.slash31.com         123 xxx.xxx.xxx.xxx       1 4 4    5d0      0      55eightyeight.xmission.c   123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      56

Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module.

ntpdc -c monlist [hostname]

The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely.  If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file.  This will disable access to mode 6 and 7 query packetts (which includes monlist). 

By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack.

More Reading on NTP Security:http://www.eecis.udel.edu/~mills/security.html

How can you protect your servers?

Q&A??

Thank You!!