At the end of 2013 there were several NTP reflection DDoS attacks. Let's see what are these, and how they work. A reflection DDoS attack in general looks like the following:
1. Attacker spoofs victim IP address, and generates lots of small request to a service (in this case NTP, but there are similar methods for DNS)
2. The server receives the request, and will generate a much larger answer (because of the request type)
This allows the attacker to have low bandwidth only, and can easily overload a much larger pipe, because of a much larger answer. If we add that multiple attackers can generate this traffic (e.g.: botnet) then we have a DDoS. How it looks in the NTP case:
1. Attacker spoofs the IP and sends a MON_GETLIST_1 command to the server. (In the screenshots below I just query my own NTP server to show the packets, and don't do any spoofing)
2. The server responds with the last 600(!!!) IP address who have connected to the server.
The specific NTP vulnerability is documented under: CVE-2013-5211
To show it, and get the above capture I started a NTP server on my Kali Linux:
root@kali:~# service ntp start
[ ok ] Starting NTP server: ntpd.
We can then query the list either with a single command:
root@kali:~# ntpdc -c monlist 127.0.0.1
remote address port local address count m ver rstr avgint lstint
===============================================================================
bolha.lvs.iif.hu 123 192.168.1.10 3 4 4 1d0 1 0
login-vlan87.budapest. 123 192.168.1.10 4 4 4 1d0 1 0
bart.nexellent.net 123 192.168.1.10 3 4 4 1d0 1 1
194.38.104.240 123 192.168.1.10 4 4 4 1d0 1 1
or with using NMAP's ntp-monlist NSE script:
root@kali:~# nmap -sU -p 123 --script=ntp-monlist.nse 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-06 22:07 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00021s latency).
PORT STATE SERVICE
123/udp open ntp
| ntp-monlist:
| Target is synchronised with 193.224.65.146
| Alternative Target Interfaces:
| 192.168.1.10
| Public Servers (4)
| 193.224.65.146 193.225.14.181 194.38.104.240 217.147.223.78
| Private Clients (1)
|_ 127.0.0.1
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
I uploaded the packet captures to the blog's "Packet Capture" page.
How we can secure our NTP server?
1. Update NTP server version to 4.2.7.p26 or later
2. Add "disable monitor" to the /etc/ntp.conf file
Once it's done, we will see the following responses:
root@kali:~# nmap -sU -p 123 --script=ntp-monlist.nse 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-06 22:45 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
PORT STATE SERVICE
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
root@kali:~# ntpdc -c monlist 127.0.0.1
***Server reports data not found
root@kali:~#
1 comment:
Szervusz kedves Csaba,
Szeretném e-mailben felvenni veled a kapcsolatot.
Én is tervbe vettem az OSCP-t, meg boot2root feladványok megoldásával is foglalkozom a szabad időmben.
Szívesen kooperálnék veled ha te is úgy gondolod.
üdv!
Lajos
nethekk.blogspot.com a blogom címe.
Post a Comment