Hackers Spend Christmas Break Launching Large Scale NTP-Reflection Attacks

Thursday, December 26, 2013

Allan Liska

A7bef9a8e31d3aa29e48f1a06ac84da1

Over the last few weeks Symantec has seen a significant spike in NTP reflection attacks accross the Internet.

NTP_Spike_0.png

NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network.  If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.

NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that.  Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.

How do NTP reflection attacks work?

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address. 

In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:

[root@server ~]# ntpdc -c monlist [hostname]

remote address          port local address      count m ver code avgint  lstint
===============================================================================
localhost.localdomain  53949 127.0.0.1              1 7 2      0      0       0
tock.usshc.com           123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      53
198.52.198.248           123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      54
rook.slash31.com         123 xxx.xxx.xxx.xxx       1 4 4    5d0      0      55
eightyeight.xmission.c   123 xxx.xxx.xxx.xxx         1 4 4    5d0      0      56

Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module. 

How can you protect your servers?  The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely.  If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file.  This will disable access to mode 6 and 7 query packetts (which includes monlist). 

By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack.

Cross Posted from the Symantec Cyber Readiness and Response Blog

11618
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.