NTP reflective DDos attack FAQ/Addendum

0x00 background

Two days ago, the heartbleed fat man published an article about NTP-based reflection and amplification attacks.

I wrote another article related to NTP because I didn't mention some of the above, or I didn't make it clear enough. You are welcome to leave a comment and I will try again for improvement.

Glossary:

 

Ntp server: the ntp server that synchronizes with the atomic clock or uses itself as the standard time.

Ntp relay server: Configure top-level servers in/etc/ntp. conf to use them as the time relay servers of the authoritative ntp server. It also provides time synchronization functions for other ntp servers and end users. Most organizations and individuals build their own ntp servers.

Ntp client: there are multiple associations between ntp servers and end users, one of which is server/client mode. Therefore, I personally understand the term ntp client.

That is, when an ntp server (codenamed ABC) synchronizes data to the authoritative/top-level ntp server, the ABC role is the ntp client, when it responds to the synchronization request of the lower-level ntp server or the ntpdate request of the end user, ABC is the ntp server.

For more information, see.

Ntp server Association (Association Modes) Reference: http://doc.ntp.org/4.2.2/assoc.html

0x01 FAQ1. what is the impact of NTP Reply Flood Attack (NTP reflected DDos Attack? Does it only affect the ntp server or the ntp client?

Whether it is the ntp server or the ntp relay server, as long as it can respond to the monlist request, it should be able to initiate an NTP reflected DDos attack.

That is to say, as long as there is no reinforcement, ntpd Services earlier than 4.2.7p26 (Linux platform) should be affected by this vulnerability. The Windwos platform is not tested.

To verify this problem, I set up an ntp relay server for testing. The steps are extremely simple.

Environment: RHEL6.2; ntpd 4.2.4p8.

 

1 # yum install ntp-y2 # vi/etc/ntp. confserver 0.rhel.pool.ntp.org // default value ***** restrict 10.10.20.0 mask limit 255.255.0 nomodify // allows time synchronization requests from the same network segment to this ntp relay server. 3 # service ntpd restart

 

OK. The build is complete.

The test result of self-built ntp relay server is as follows.

 

#nmap -sU -pU:123 -n --script=ntp-monlist 10.10.10.200Nmap scan report for 10.10.10.200Host is up (0.00013s latency).PORT STATE SERVICE123/udp open ntp| ntp-monlist:| Target is synchronised with 218.75.4.130| Public Servers (2)| 97.107.134.213 218.75.4.130| Private Clients (1)| 10.10.10.210| Other Associations (2)| 10.10.10.180 (You?) seen 5 times. last tx was unicast v2 mode 7 |_ 0:0:0:0:0:0:0:1 seen 775 times. last tx was unicast v2 mode 6MAC Address: 00:0C:29:E1:28:65 (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.02 seconds

 

2. Some scanners may determine this vulnerability based on the NTP service version, regardless of the ntp server or ntp client side. Which of the following experts can solve this problem?

In my personal understanding, it is not necessary to distinguish between ntp server and ntp client, because the so-called ntp server/client should be affected.

In the emergency notice of a public institution in China, "you do not have to handle the problem of not enabling the NTP Server service or enabling only the NTP Client." It is suspected that the ntp client is incorrectly understood, or its ntp client is not a server running ntpd. For the reason, see the first answer.

3. What is monlist? What is the relationship with NTP reflected DDos attacks?

The fat man's article was clearly written, and I directly quoted it:

NTP includes a monlist function and is also called MON_GETLIST. It is mainly used to monitor NTP servers. After the NTP server responds to the monlist, it returns the IP addresses of the last 600 clients that have been synchronized with the NTP server, the response packet is divided by each six IP addresses. A maximum of 100 response packets are available.

You can execute the following command for testing:

Ntpdc-n-c monlist ntp_server-IP

It is consistent with the nmap script scan.

Nmap-sU-pU: 123-Pn-n -- script = ntp-monlist NTP_Server_IP

4. Compared with the ACL-based defense method, NTP officially provides a simpler solution, which is to turn off the monlist function.

 

Http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using

I'm curious about how the upgrade solves this problem and disable this function by default? UDP cannot verify the source address either.

Monlist (monitor list) is a feature of the ntpd service in a defective version. Its source code is ntpdc. c and the compiled file is/usr/sbin/ntpdc.

Strings/usr/sbin/ntpdc

You can see this function in row 833rd (ntpd 4.2.4p8 ).

For details about how the upgrade can be solved, refer to the fifth question.

5. How can I prevent ntp servers from being used for DDOS attacks?

Mitigation and defense measures are as follows. For more information, see the original English document in the reference link.
 

This vulnerability exists by default in versions earlier than 4.2.7. Upgrade the NTP server to version 4.2.7p26 or later. The latest version is 4.2.7p430. Individuals pass the ntpd 4.2.7p422 test. In versions earlier than 4.2.7, you can add the disable monitor option to the ntp. conf file to disable the monlist function. You can also use restrict... noquery or restrict... ignore to limit the source address of the ntpd service response. The individual passes the ntpd 4.2.4p8 test.
 

Restrict default kod nomodify notrap nopeer noquery

Restrict-6 default kod nomodify notrap nopeer noquery

Mitigation reference:

Https://www.us-cert.gov/ncas/alerts/TA14-013A

The defense content of this link is as follows:

Recommended Course of Action // us CERT description

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7.

However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.

To disable "monlist" functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the "noquery" directive to the "restrict default" line in the system's ntp. conf, as shown below:

Restrict default kod nomodify notrap nopeer noquery
Restrict-6 default kod nomodify notrap nopeer noquery

Secure NTP Template // defense against this vulnerability on multiple devices

Http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

0x02 comprehensive reference

Understanding and mitigating NTP-based DDoS attacks

NTP Reply Flood Attack (NTP reflected DDos Attack) original anti-DDos 2011-06 Linxinsnow [N. N. U]

Introduction to NTP-based reflection and amplification attacks