Accurate, reliable time is necessary for financial and legal transactions, transportation and distribution systemsand many other applications involving widely distributed resources. Network Time Protocol (NTP) is a protocol for synchronizing a set of network clocks using a set of distributed clients and servers. NTP is built on the User Datagram Protocol (UDP), which provides a connectionless transport mechanism. NTP provides the protocol mechanisms to synchronize time in principle to precisions in the order of nanoseconds while preserving a non-ambiguous date, at least for this century. The protocol includes provisions to specify the precision and estimated error of the local clock and the characteristics of the reference clock to which it may be synchronized [1].
Due to the use of UDP, NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long reply to a short request. Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it’s used to synch the time between client and server, it is a UDP protocol and it’s run on port 123 [4].
NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack [2].
In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.
Recently CloudFlare was undergoing one of the biggest DDoS attack in the history. The new attack has used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders [3].
NTP is just one of several protocols that and can be abused to amplify DDoS attacks. Two others are DNS (Domain Name System) and SNMP (Simple Network Management Protocol). These protocols normally do not try to authenticate the source IP addresses. What these protocols have in common is that they allow a relatively small query to generate a large response and are vulnerable to source IP spoofing if certain precautions are not taken because they work over UDP (User Datagram Protocol) [3].
How to be safe in Unix Environment
In order to be safe against NTP based DDoS attacks targeting linux environments, following steps may be usefull. The following configuration is for a UNIX machine to act as simply an NTP client and never to allow NTP queries to it except from the loopback address [5]:
# by default act only as a basic NTP client
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
# allow NTP messages from the loopback address, useful for debugging
restrict 127.0.0.1
restrict ::1
# server(s) we time sync to
server 192.0.2.1
server 2001:DB8::1
server time.example.net
You can use your standard host firewall filtering capabilities to limit who the NTP process talks to. If you're using Linux and the host is acting as an NTP client only, the following iptables rules could be adapted to shield your NTP listener from unwanted remote hosts [5].
-A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT
For further reading about DDoS refer: http://www.secure.edu.pl/pdf/2013/D1_1530_A_Graham-Cumming.pdf
Reference:
[1] Mills, D. L. (1985). Network time protocol (NTP). Network.
[2] http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
[3] http://www.pcworld.com/article/2096720/attackers-use-ntp-reflection-in-huge-ddos-attack.html
[4] https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
[5] http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
Due to the use of UDP, NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long reply to a short request. Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it’s used to synch the time between client and server, it is a UDP protocol and it’s run on port 123 [4].
NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack [2].
In the case of DNS reflection, the amplification factor is 8x, meaning attackers could generate eight times more traffic than they would normally be able to generate with their botnet. However, in the case of NTP and SNMP reflection it can be over 200x and 650x, respectively, CloudFlare said in a blog post in January.
Recently CloudFlare was undergoing one of the biggest DDoS attack in the history. The new attack has used a technique called NTP reflection that involves sending requests with spoofed source IP addresses to NTP servers with the intention of forcing those servers to return large responses to the spoofed addresses instead of the real senders [3].
NTP is just one of several protocols that and can be abused to amplify DDoS attacks. Two others are DNS (Domain Name System) and SNMP (Simple Network Management Protocol). These protocols normally do not try to authenticate the source IP addresses. What these protocols have in common is that they allow a relatively small query to generate a large response and are vulnerable to source IP spoofing if certain precautions are not taken because they work over UDP (User Datagram Protocol) [3].
How to be safe in Unix Environment
In order to be safe against NTP based DDoS attacks targeting linux environments, following steps may be usefull. The following configuration is for a UNIX machine to act as simply an NTP client and never to allow NTP queries to it except from the loopback address [5]:
# by default act only as a basic NTP client
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
# allow NTP messages from the loopback address, useful for debugging
restrict 127.0.0.1
restrict ::1
# server(s) we time sync to
server 192.0.2.1
server 2001:DB8::1
server time.example.net
You can use your standard host firewall filtering capabilities to limit who the NTP process talks to. If you're using Linux and the host is acting as an NTP client only, the following iptables rules could be adapted to shield your NTP listener from unwanted remote hosts [5].
-A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT
For further reading about DDoS refer: http://www.secure.edu.pl/pdf/2013/D1_1530_A_Graham-Cumming.pdf
Reference:
[1] Mills, D. L. (1985). Network time protocol (NTP). Network.
[2] http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
[3] http://www.pcworld.com/article/2096720/attackers-use-ntp-reflection-in-huge-ddos-attack.html
[4] https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
[5] http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html