Over the last few weeks Symantec has seen a significant spike in NTP reflection attacks accross the Internet.
NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network. If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.
NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.
How do NTP reflection attacks work?
Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address.
In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:
[root@server ~]# ntpdc -c monlist [hostname]
remote address port local address count m ver code avgint lstint
localhost.localdomain 53949 127.0.0.1 1 7 2 0 0 0
tock.usshc.com 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 53
18.104.22.168 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 54
rook.slash31.com 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 55
eightyeight.xmission.c 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 56
Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module.
How can you protect your servers? The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely. If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file. This will disable access to mode 6 and 7 query packetts (which includes monlist).
By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack.
Cross Posted from the Symantec Cyber Readiness and Response Blog