Network Time Protocol (NTP. The protocol used for local and remote NTP server time synchronization. I have played so many protocols that I have never paid much attention to them. I read the articles of Linxinsnow and Longas, And then I studied it. It is recorded as a note.
I will not write more details about this protocol. You can simply describe it. The specific details are far more complex than the NTP protocol, but it is not very simple.
1. Send NTP data packets locally to the remote NTP server using unreliable UDP protocol.
2. The NTP server receives the data packet and returns the timestamp.
3. Calculate the time difference based on the returned local data and some algorithms, and then adjust the local time.
However, when constructing special NTP data packets, the NTP server can return nearly 600 IP addresses updated to the server. In fact, this may not be returned because UDP is unreliable. This action resulted in two results: 1. information leakage, and all IP addresses were exposed. For the prevention of IP address leakage, I personally think that an external server should be used as an NTP server, and the internal time of this server should be used for synchronization; 2. The legendary NTP Reply flood attack, theoretically, 600 UDP packets are returned. I captured the packet and calculated that a packet contains more than 400 bytes. When I captured the packet, it was about 488 bytes (the specific packet size was not fully confirmed ). If there are no network barriers and nearly 600 packets are returned, then ideally, the UTP server sends 600*488 bytes of data to the local machine.
For this special NTP packet, I caught the packet:
Hexadecimal content:
Under normal circumstances, after the client sends a request to the NTP server, the NTP server replies to the request from the client. The process is like (I drew it casually using the Cisco Packet Tracer, and the middle line represents the path, does not represent a network cable ):
However, we can construct UDP data packets. Because UDP does not have a TCP three-way handshake, arbitrary data packets can flow over. Therefore, we need to change the source address of the UDP data packet to the target object, in this way, the returned data packet will be sent to the computer of the cool doll. The approximate flowchart is as follows:
As a result, I used python to complete a simple test program. The data packet is hard-coded and the content is the second one in the previous article:, as follows:
Import socket
Ntp_data = '\ x17 \ x00 \ x02 \ x2a'
Ntp_data + = '\ x00' * 156
S = socket. socket (socket. AF_INET, socket. SOCK_DGRAM)
S. connect ('1970. 100.11.8 ', 133 ))
S. send (ntp_data)
I use Wireshark to capture packets, filter other packets, and only capture NTP protocols,
This python program returns data packets to the local machine and can construct UDP data packets. It can also be programmed using python or WinPcap. If I keep sending requests to several NTP servers, but the response is sent to other servers, DDOS is formed. At present, there are more than 100 NTP servers around the world. I forgot the specific number, if it's not more than 100, forget the data issue.
There are several methods in theory for defense methods, which may not actually work and will not be ugly.
From Fresh blog