Monday, January 6, 2014

NTP reflection DDoS attacks

At the end of 2013 there were several NTP reflection DDoS attacks. Let's see what are these, and how they work. A reflection DDoS attack in general looks like the following:

1. Attacker spoofs victim IP address, and generates lots of small request to a service (in this case NTP, but there are similar methods for DNS)
2. The server receives the request, and will generate a much larger answer (because of the request type)

This allows the attacker to have low bandwidth only, and can easily overload a much larger pipe, because of a much larger answer. If we add that multiple attackers can generate this traffic (e.g.: botnet) then we have a DDoS. How it looks in the NTP case:

1. Attacker spoofs the IP and sends a MON_GETLIST_1 command to the server. (In the screenshots below I just query my own NTP server to show the packets, and don't do any spoofing)

 
2. The server responds with the last 600(!!!) IP address who have connected to the server.

 
The specific NTP vulnerability is documented under: CVE-2013-5211

To show it, and get the above capture I started a NTP server on my Kali Linux:

root@kali:~# service ntp start
[ ok ] Starting NTP server: ntpd.


We can then query the list either with a single command:

root@kali:~# ntpdc -c monlist 127.0.0.1
remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
bolha.lvs.iif.hu         123 192.168.1.10           3 4 4    1d0      1       0
login-vlan87.budapest.   123 192.168.1.10           4 4 4    1d0      1       0
bart.nexellent.net       123 192.168.1.10           3 4 4    1d0      1       1
194.38.104.240           123 192.168.1.10           4 4 4    1d0      1       1


or with using NMAP's ntp-monlist NSE script:

root@kali:~# nmap -sU -p 123 --script=ntp-monlist.nse 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-06 22:07 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00021s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-monlist:
|   Target is synchronised with 193.224.65.146
|   Alternative Target Interfaces:
|       192.168.1.10   
|   Public Servers (4)
|       193.224.65.146  193.225.14.181  194.38.104.240  217.147.223.78 
|   Private Clients (1)
|_      127.0.0.1      

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds



I uploaded the packet captures to the blog's "Packet Capture" page.

How we can secure our NTP server?

1. Update NTP server version to 4.2.7.p26 or later
2. Add "disable monitor" to the /etc/ntp.conf file

Once it's done, we will see the following responses:

root@kali:~# nmap -sU -p 123 --script=ntp-monlist.nse 127.0.0.1

Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-06 22:45 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
PORT    STATE SERVICE
123/udp open  ntp

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
root@kali:~# ntpdc -c monlist 127.0.0.1
***Server reports data not found
root@kali:~#

1 comment:

Anonymous said...

Szervusz kedves Csaba,

Szeretném e-mailben felvenni veled a kapcsolatot.

Én is tervbe vettem az OSCP-t, meg boot2root feladványok megoldásával is foglalkozom a szabad időmben.

Szívesen kooperálnék veled ha te is úgy gondolod.

üdv!

Lajos

nethekk.blogspot.com a blogom címe.