NTP Amplification Attack: What it is and How to Mitigate?
Those of you who don’t know about NTP, Let’s first understand what NTP is and how it can be used by hacker to perform DDoS attack on the server.
NTP stands for “Network Time Protocol”.
The Network Time Protocol is designed to allow internet connected devices to synchronize their internal clocks, and serves an important function in internet architecture. By exploiting the monlist command enabled on some NTP servers, an attacker is able to multiply their initial request traffic, resulting in a large response. This command is enabled by default on older devices, and responds with the last 600 source IP addresses of requests which have been made to the NTP server. The monlist request from a server with 600 addresses in its memory will be 206 times larger than the initial request. This means that an attacker with 1 GB of internet traffic can deliver a 200+ gigabyte attack — a massive increase in the resulting attack traffic.
Now, you have understood NTP, Lets move on and understand NTP amplification attack.
An NTP amplification attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker exploits a Network Time Protocol (NTP) server functionality in order to overwhelm a targeted network or server with an amplified amount of UDP traffic, rendering the target and its surrounding infrastructure inaccessible to regular traffic.
Cloudflare as given a classic example of NTP Amplification attack says:
NTP amplification, much like DNS amplification, can be thought of in the context of a malicious teenager calling a restaurant and saying “I’ll have one of everything, please call me back and tell me my whole order.” When the restaurant asks for a callback number, the number given is the targeted victim’s phone number. The target then receives a call from the restaurant with a lot of information that they didn’t request.
Working of an NTP attack
Here is how the NTP reflection-amplification attack works:
- The attacker uses a botnet to send UDP packets with spoofed IP addresses to a NTP server which has its monlist command enabled. The spoofed IP address on each packet points to the real IP address of the victim.
- Each UDP packet makes a request to the NTP server using its monlist command, resulting in a large response.
- The server then responds to the spoofed address with the resulting data.
- The IP address of the target receives the response and the surrounding network infrastructure becomes overwhelmed with the deluge of traffic, resulting in a denial-of-service.
Mitigation of NTP Amplification Attack:
1. Disable monlist
A simple solution to patching the monlist vulnerability is to disable the command. All version of the NTP software prior to version 4.2.7 are vulnerable by default. By upgrading a NTP server to 4.2.7 or above, the command is disabled, patching the vulnerability. If upgrading is not possible, following the US-CERT instructions will allow a server’s admin to make the necessary changes.
The following screenshot shows the configuration present in ntp.conf located on the server (/etc/ntp.conf)
2. Source IP verification
Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. It is highly recommended that you should implement ingress filtering to avoid querying/sending requests to server.
If you like to see how big NTP Amplification attack could be, use the ntpdc command to send a monlist command to a randomly chosen open NTP server on the Internet. You can capture the request and response packets captured with Wireshark.
Here is the command:
ntpdc –c monlist 1xx.xxx.123.x9Also, in order to disable this functionality on a public-facing NTP server, add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:
Conclusion:
The combination of disabling monlist on NTP servers and implementing ingress filtering on networks which presently allow IP spoofing is an effective way to stop NTP Aplification DDoS attack before it reaches its intended network.
