NTP Reply Flood Attack (NTP reflected DDos Attack)

Introduction NTP Reply Flood Attack (NTP-type Ddos Attack) NTP_Flood is a vulnerability that exploits the NTP server in the network (unauthenticated, non-equivalent data exchange, UDP protocol ), this article describes the causes and methods of DDos attacks, and uses programming languages (Python, C ++) to implement these attacks. I would like to thank my NSFOCUS colleagues (SCZ, Zhou da, SAI, and ice and snow) for their support in their daily work. NTP server
NTP server [Network Time Protocol (NTP)] is a Protocol used to synchronize the computer Time. It can enable the computer to access its server or clock source (such as quartzels, GPS, and so on) for synchronization, it can provide high-precision time correction (the difference between the LAN and the standard is less than 1 millisecond, And the WAN is dozens of milliseconds ), encryption validation can be used to prevent malicious protocol attacks. NTP: Network Time Protocol (NTP) is a synchronization Time Protocol that provides services for computer clock over the Internet. It provides a synchronization time mechanism that can adjust time allocation at the speed of light in a large and complex Internet. It uses a design scheme that can return time. It features that the time server is a distributed subnet that can perform self-organized operations and hierarchical management configuration, the logical clock is synchronized to the National Standard Time in wired or wireless mode. In addition, the server can re-allocate the standard time by selecting the algorithm and the time background program through the local route. The Design of NTP brings three products-clock offset, time delay and difference, all of which are associated with the specified reference clock. The Time Offset indicates the number of deviations generated when the local clock is adjusted to the same as the reference clock. The time delay indicates the delay time between the message sending and the reference clock within the specified time; the difference represents the maximum deviation from the local clock of the reference clock. Because most server time servers synchronize data through other peer-to-peer time servers, each of these three products has two components: one is determined by peer-to-peer, this part is relative to the reference source of the original standard time; the second is the part measured by the host, which is relative to the peer. Each part is maintained independently in the protocol, which makes error control and subnet management easy. They not only provide precise measurement of the Offset and delay, but also provide a clear maximum error range, so that the user interface can not only determine the time, but also determine the accuracy of the time. NTP is derived from the time protocol and ICMP time Sign message, but its design focuses more on the accuracy and controllability, even if it is used on a network path that includes multiple gateways, latency difference and unreliable network. The latest version is NTPv3, which is compatible with previous versions.  LI: Jump indicator, warning the force-recent second (second) inserted at the final moment of the last day of the month ). Cmdvn: version number. Idle Mode: Mode. This field includes the following values: 0-reserved; 1-symmetric behavior; 3-client; 4-server; 5-broadcast; 6-NTP control information  Stratum: overall identification of the local clock level. Maximum Poll: The maximum interval between consecutive messages. Precise Precision: A signed integer indicates the accuracy of the local clock. Invalid Root Delay: The signed fixed vertex number indicates the total latency of the main reference source, with 15 to 16 segments in a short period of time. Invalid Root Dispersion: the unsigned fixed vertex number indicates a normal error relative to the primary reference source, and the segment points between 15 and 16 bits in a short time. Invalid Reference Identifier: identifies special Reference sources.  Originate Timestamp: this is the time to request client separation from the server, in the format of 64-bit Timestamp. Inclureceive Timestamp: this is the time when the request arrives at the client from the server, in the format of 64-bit Timestamp.  Transmit Timestamp: this is the time for the client to reply to the server separation, in the format of 64-bit Timestamp.  Authenticator (Optional): When the NTP Authentication mode is implemented, the primary identifier and information digital domain include the defined information Authentication Code (MAC) information. In Linux, we can use ntpdc to perform NTP operations. ntpdc supports many commands: # ntpdc-n-I time.org. zantpdc>? Ntpdc commands: addpeer controlkey fudge keytype quit has been helped listpeers readkeys release debug host loopinfo requestkey has delay hostnames memstats reset has delrestrict ifreload monlist has been disable has been restrict has already existed peers showpeer has non-equivalent DDos exchange use the Listpeers and monlist commands Listpeers command to list the peers (NTP Servers) Monlist command of the target NTP Server. You can obtain the last 600 Client IP addresses that have been synchronized with the target NTP Server. This means that a small request packet can obtain a large number of continuous UDP packets consisting of Active IP addresses. wireshark captures packets such:

It is worth noting that it is still a small part of the NTP server response packet. The actual response packet ratio for this communication is 1: 73, and the data volume ratio is 234 bytes: 73 × 482 bytes, which is approximately equal to 1: 562. The calculation result is as follows: MB of attack traffic can be obtained for 10 MB of communication traffic, that is, 5 GB of attack traffic. It is precisely because of this command's non-equivalent exchange (1: 562 of Compensation), UDP Communication ambiguity (no three-way handshake verification), and NTP server's no authentication mechanism, this makes reflective DDos attacks possible. The function of this Python script is to use the IP address list returned by the monlist command from the specified server. Because the Linux ntpdc command has a short timeout time, therefore, it is not easy to return the complete list. Development of attack programs using Python the Python attack code is written by SAI as follows: Use Winpcap to develop attack programs