The presentation aims to give audience detail hacks of recent NTP surge attacks and how to mitigate them. It will give audience detail description on how NTP works and how the AutoKey Feature can be implemented to safeguard your NTP servers.
2. Common NTP Attack Signature
NTP amplification attacks work similar
to UDP amplification attacks. The
attacker sends a small packet with
spoofed source information via UDP
to the NTP server. This packet
contains a command like ‘monlist’
which requests a a large amount of
data from the NTP server. The NTP
server sends this data to the spoofed
source in the original small packet. In
effect, a few bytes of data can
generate megabytes worth of traffic.
Fixing the Problem
1. update NTP to version 4.2.7.
This removes the ‘monlist’ command.
2. You can disable querying via a configuration
change:
# grep -ai query /etc/ntp.conf
# Prohibit general access to this service.
restrict default ignore
restrict xxx.xxx.xxx.xxx mask 255.255.255.255
nomodify notrap noquery
This will prevent your NTP server from being
leveraged to launch DDoS attacks against other
networks.
3. Enable NTP Autokey.
Information can be in subsequent Slides. This is
supported in version 4.2.6 or later.
Check this Link:
http://support.ntp.org/bin/view/Support/Configuring
Autokey
3. NTP Reflection
Over the last few weeks (26th Dec, 2013) Symantec has seen a significant spike in
NTP reflection attacks across the Internet.
4. Notable cases (1)
Tardis and Trinity College, Dublin
Problem:
Copies of a program called Tardis with thousands of copies
around the world contacting the web server and obtaining a
timestamp via HTTP.
Solution:
modify the web server configuration so as to deliver a
customized version of the home page (greatly reduced in size)
Return a bogus time value, which caused most of the clients to
choose a different time server.
Release version of Tardis to correct for this problem.
5. Notable cases (2)
NETGEAR and the University of Wisconsin–Madison
Problem:
NETGEAR Hardcoded UWM’s NTP Servers’ address in their Product
Line DG814, HR314, MR814 and RP614, counting total 707,147 gears
who would send SNTP Request to those servers every second until
they get response. It resulted peak traffic of 250,000 packets-persecond (150 megabits per second) by June, 2013.
Solution:
Firmware Code Update to query SNTP Agents to NETGEAR's own
servers, poll only once every ten minutes, and give up after five
failures.
NETGEAR has donated 375,000 USD to the UWM.
Similar Problem between ‘SMC and CSIRO’.
6. Notable cases (3)
swisstime.ethz.ch and the Providers
Problem:
For over 20 years ETH Zurich has provided open access to the time
server swisstime.ethz.ch for operational time synchronization.
Due to excessive bandwidth usage, averaging upwards of 20 GB /
day, it has become necessary to direct external usage to public time
server pools,such as ch.pool.ntp.org.
Misuse, caused mostly by IT-providers synchronizing their client
infrastructures, has made unusually high demands on network
traffic, thereby causing ETH to take effective measures.
Solution:
As of Fall 2012 the availability of swisstime.ethz.ch has been changed
to Closed Access.
Since beginning of July 2013 access to the server is blocked entirely
for the ntp protocol.
7. Notable cases (3)
D-Link and Poul-Henning Kamp
Problem:
Poul-Henning Kamp was manager of Danish Str1 NTP server .
By convention, Stratum 1 time servers should only be used by applications
requiring extremely precise time measurements, such as scientific
applications or Stratum 2 servers with a large number of clients.
PHK observed a huge rise in traffic and discovered that between 75 and 90%
was originating with D-Link's router products.
Kamp contacted D-Link in November 2005, hoping to get them to fix the
problem and compensate him for the time … …
Solution:
After going public, Kamp realized that D-Link routers were directly querying
other Stratum 1 time servers, violating the access policies of at least 43 of
them in the process. ..
On April 27, 2006, D-Link and Kamp announced that they had "amicably
resolved" their dispute…
8. Recent Attacks on Gaming Servers
Mitigating 80 Gbps Attacks – NTP Amplification Attacks on the Rise:
The recent wave of attacks on EA, Riot Games, Blizzard, Valve, and
many others in the past few weeks have utilized a very uncommon
attack technology. These attacks are similar in nature to DNS
amplification attacks. Those attacks leveraged misconfigured DNS
servers to launch very large attacks. We’re now faced with a similar
situation with NTP.
Ref:
http://arstechnica.com/security/2014/01/new-dos-attacks-taking-downgame-sites-deliver-crippling-100-gbps-floods/
http://www.reddit.com/r/gaming/comments/1uacp8/derptrolling_is_c
urrently_ddos_on_steam_and_ea/
http://thehackernews.com/2014/01/ddos-attack-NTP-server-reflectionprotection.html
http://www.darkreading.com/attacks-breaches/attackers-wagenetwork-time-protocol-bas/240165063
9. What is NTP?
NTP is the Network Time Protocol, it is a relatively obscure
protocol that runs over port 123 UDP and is used to sync time
between machines on a network. If you have ever set up a
home computer or server and been asked which time server
you want to use, that is an NTP connection.
NTP is one of those set-it-and-forget-it protocols that is
configured once and most network administrators don't worry
about it after that. Unfortunately, that means it is also not a
service that is upgraded often, leaving it vulnerable to these
reflection attacks.
10. Common NTP client problems
(S)NTP server addresses hardcoded in the firmware of
consumer networking devices.
Generate query packets at short (less than 5 s) intervals until a
response is received.
Such grossly over-eager clients (particularly those polling once
per second) commonly make up more than 50% of the traffic of
public NTP servers, despite being a minuscule fraction of the
total clients.
11. How do NTP reflection attacks work?
Similar to DNS amplification attacks, the attacker sends a small
forged packet that requests a large amount of data be sent to
the target IP Address.
In this case, the attackers are taking advantage of the monlist
command. Monlist is a remote command in older version of
NTP that sends the requester a list of the last 600 hosts who
have connected to that server. For attackers the monlist query
is a great reconnaissance tool. For a localized NTP server it can
help to build a network profile. However, as a DDoS tool, it is
even better because a small query can redirect megabytes
worth of traffic:
12. ntpdc -c monlist [hostname]
[root@server ~]# ntpdc -c monlist [hostname]
remote address
port local address count m ver code avgint lstint
===============================================================================
localhost.localdomain 53949 127.0.0.1
172 0 0 0
tock.usshc.com
123 xxx.xxx.xxx.xxx
1 4 4 5d0 0 53
198.52.198.248
123 xxx.xxx.xxx.xxx
1 4 4 5d0 0 54
rook.slash31.com
123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 55
eightyeight.xmission.c 123 xxx.xxx.xxx.xxx
1 4 4 5d0 0 56
Most scanning tools, such as NMAP, have a monlist module for
gathering network information and many attack
tools, including metasploit, have a monlist DDoS module.
13. How can you protect your servers?
The easiest way to update to NTP version 4.2.7, which removes
the monlist command entirely. If upgrading is not an option,
you can start the NTP daemon with noquery enabled in the NTP
conf file. This will disable access to mode 6 and 7 query
packetts (which includes monlist).
By disabling monlist, or upgrading so the the command is no
longer there, not only are you protecting your network from
unwanted reconnaissance, but you are also protecting your
network from inadvertently being used in a DDoS attack.
More Reading on NTP Security:
http://www.eecis.udel.edu/~mills/security.html