Video Screencast Help
Cyber Security Group

Hackers Spend Christmas Break Launching Large Scale NTP-Reflection Attacks

Created: 26 Dec 2013 • Updated: 26 Dec 2013 • 2 comments
uuallan's picture
+2 2 Votes
Login to vote

Over the last few weeks Symantec has seen a significant spike in NTP reflection attacks accross the Internet.

NTP_Spike_0.png

NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network.  If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.

NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that.  Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.

How do NTP reflection attacks work?

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. 

In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:

[root@server ~]# ntpdc -c monlist [hostname]

remote address          port local address      count m ver code avgint  lstint
===============================================================================
localhost.localdomain  53949 127.0.0.1              1 7 2      0      0       0
tock.usshc.com           123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      53
198.52.198.248           123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      54
rook.slash31.com         123 xxx.xxx.xxx.xxx       1 4 4    5d0      0      55
eightyeight.xmission.c   123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      56

Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module. 

How can you protect your servers?  The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely.  If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file.  This will disable access to mode 6 and 7 query packetts (which includes monlist). 

By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack.

Blog Entry Filed Under:

Comments 2 CommentsJump to latest comment

uuallan's picture

Thank you, I am glad it was useful!

0
Login to vote