# NTP - the new DDOS amplifier



## wlanboy (Jan 16, 2014)

We all know about DNS amplification attacks (open relays) but now time servers are used to DDOS hosts too.

The Network Time Protocol is used to synchronize computers across the world against centralized servers to within a fraction of a second of coordinated universal time (UTC).

It uses the port 123 on UDP.

NTP is susceptible to main-in-the-middle attacks - just spoof the source.

NTP amplification attacks work quite simple. Ask for the latest clients and get back about 600 ip addresses of the latest connections:


ntpdc -n -c monlist <ip of ntp server>

The request packet is 234 bytes long. A busy server with the maximum of 600 addresses would send 100 packets (6 addresses per packet) for a total of over 48kb - that's a 200x amplifier.

NTP from version 4.2.7 on does not have the command "monlist".

If you don't have access to this version you can disable monlist:


nano /etc/ntp.conf

and add following line:


disable monitor

Another solution would be the NTP Autokey Authentication.

And there is allready a project scanning for open NTP servers: OpenNTPproject.org.


----------



## texteditor (Jan 16, 2014)

Some clown has been using this technique over the past 2-3 weeks to pummel the hell out of some larger torrent trackers and allegedly Riot/Steam/EA, and it's getting old


----------



## Magiobiwan (Jan 16, 2014)

Perhaps we (in general) should first take care of the NTP issue, then after that take care of anything ELSE with large amplification? DNS is mostly taken care of. NTP is just now getting big. What's next?


----------



## Francisco (Jan 16, 2014)

We've been seeing a lot of this.

I had to make adjustments in both of our DC's to address this the other week.

Francisco


----------



## maounique (Jan 16, 2014)

Fortunately there are not enough NTP servers out there and such an abuse WILL get noticed since most are run by professionals. There are far fewer than DNSes which are in each crappy hosting panel on the market as well as in many templates. 

It will certainly be easier to contain this outbreak.


----------



## kaniini (Jan 16, 2014)

Magiobiwan said:


> Perhaps we (in general) should first take care of the NTP issue, then after that take care of anything ELSE with large amplification? DNS is mostly taken care of. NTP is just now getting big. What's next?


Anything which uses UDP in an unauthenticated manner is vulnerable to reflection attacks.


----------



## wlanboy (Jan 16, 2014)

Magiobiwan said:


> Perhaps we (in general) should first take care of the NTP issue, then after that take care of anything ELSE with large amplification?


Hopefully everyone will take a look at his/her own subnets.



Mao_Member_no_signature said:


> Fortunately there are not enough NTP servers out there and such an abuse WILL get noticed since most are run by professionals.


I thought that too. But look at the numbers at OpenNTPProject.

Not the official Pool numbers.

There is a nmap script available that lists all ips that can be used for an attack - if you do not trust OpenNTPProject.

But every vps provider should run that on his hosts.


----------



## Kris (Jan 17, 2014)

We've been suggesting the following, after seeing attacks on the same /24 subnet (scanning networks)

We now scan nightly and send out instructions on how to close your open NTP server or DNS resolver should you have one, a lot of PBX distributions come with NTP open by default.

Start by editing : */etc/ntp.conf* with your preferred text editor. 

Next, add the following line to to /etc/ntp.conf to restrict access and ignore inbound requests:


restrict default ignore

You can now restart the ntp daemon by issuing the following command:

/etc/init.d/ntpd restart

Quick Edit: Check if your server is open by running the following command:


ntpq -pn IP

*If the server replies at all with a list of IPs / a line that contains 'jitter', it's open. It should time out, not respond, etc. *

Cheers, should save people some BW and network quality


----------



## peterw (Jan 17, 2014)

Magiobiwan said:


> Perhaps we (in general) should first take care of the NTP issue, then after that take care of anything ELSE with large amplification? DNS is mostly taken care of. NTP is just now getting big. What's next?





kaniini said:


> Anything which uses UDP in an unauthenticated manner is vulnerable to reflection attacks.


SNMP (used) DNS (used) NTP (used).

Not used: RADIUS “access request” with “access reject” response. Don't read about the "chargen" IDENT service either.


----------



## kaniini (Jan 17, 2014)

peterw said:


> SNMP (used) DNS (used) NTP (used).
> 
> Not used: RADIUS “access request” with “access reject” response. Don't read about the "chargen" IDENT service either.


Shh... just because the kiddies haven't discovered RADIUS yet doesn't mean they're not going to. 

I see chargen flooding all the time.  It was enough of a problem that we set an ACL on our edge network in Dallas to block it there.

Edit: Additional thought -- really, we should ditch both TCP and UDP and just switch everything to SCTP already.  SCTP offers both stream and message-oriented networking, and thusly could replace all TCP and UDP applications with minimal effort.  Not to mention the other advantages, like decoupling sessions from the IP layer (so you can switch from wifi to 3G and not have a connection drop)...


----------



## Francisco (Jan 17, 2014)

Mao_Member_no_signature said:


> Fortunately there are not enough NTP servers out there and such an abuse WILL get noticed since most are run by professionals. There are far fewer than DNSes which are in each crappy hosting panel on the market as well as in many templates.
> 
> It will certainly be easier to contain this outbreak.


COUGH COUGH

https://blog.staminus.net/mitigating-80-gbps-attacks-ntp-amplification-attacks-on-the-rise

Francisco


----------



## drmike (Jan 17, 2014)

Folks were blaming DNS for the reflection attacks, whole time it has been mostly NTP


----------



## wlanboy (Jan 17, 2014)

drmike said:


> Folks were blaming DNS for the reflection attacks, whole time it has been mostly NTP


Main reason to create this thread.


----------



## maounique (Jan 18, 2014)

Neah, DNS ampliffication attacks were 300 gbps and NTP "benefits" from having many servers publicly listed while the open  resolvers in every crappy hosting panel out there are hard to come by without scans.

It is also easy to solve, the NTP servers have listed contact addresses in many cases.

This will likely pass very fast, they will be fixed in a couple of weeks.

We are still fixing open recursive resolvers in our network, people put them up every day


----------



## marlencrabapple (Jan 20, 2014)

I'm still dreading the day I have to deal with a regular DDOS attack. I can't even imagine having to figure out how to deal with something on this scale.


----------



## wlanboy (Jan 24, 2014)

Found a nice breakdown of the different types of DDOS attacks:


----------



## Aldryic C'boas (Jan 24, 2014)

They forgot the "wgetting files from a speedtest server" type.


----------



## FLDataTeK (Jan 24, 2014)

I came across this script the other day to scan for open resolvers on your OpenVZ nodes.  It works pretty good.


#!/bin/bash
echo "Simple script to scan all OpenVZ containers for open DNS resolvers"
echo "For web-based testing use http://openresolver.com"
for ip in `vzlist -H | awk '{print $4}'`;
do
OUT=$(dig +short +tries=1 +time=2 test.openresolver.com TXT @$ip | grep open-resolver-detected)
if [ -z "$OUT" ]; then
echo "$ip is not an open resolver"
else
echo "$ip IS an open resolver!"
fi
done

Hopefully it will help someone out.


----------



## FLDataTeK (Jan 24, 2014)

I just found that script was posted here also in a different section..     Opps...


----------



## wlanboy (Jan 26, 2014)

marlencrabapple said:


> I'm still dreading the day I have to deal with a regular DDOS attack. I can't even imagine having to figure out how to deal with something on this scale.


Yup - more than 2/3 are infrastructure attacks.


----------



## lbft (Feb 18, 2014)

Mao_Member_no_signature said:


> Fortunately there are not enough NTP servers out there and such an abuse WILL get noticed since most are run by professionals. There are far fewer than DNSes which are in each crappy hosting panel on the market as well as in many templates.
> 
> It will certainly be easier to contain this outbreak.





Mao_Member_no_signature said:


> Neah, DNS ampliffication attacks were 300 gbps and NTP "benefits" from having many servers publicly listed while the open  resolvers in every crappy hosting panel out there are hard to come by without scans.
> 
> It is also easy to solve, the NTP servers have listed contact addresses in many cases.
> 
> ...


It's a month later. Would you care to eat your words yet, Mao?


----------



## peterw (Feb 18, 2014)

And the attacks are still there. Lots of server are running the vulernable version of ntp and they are not updated.


----------



## Francisco (Feb 18, 2014)

I released some information on how hosts can block the packets so they don't have to suspend their users/enter their CT's without permission.



Francisco


----------



## eva2000 (Feb 18, 2014)

Thanks Fran !

I checked on CentOS 6.5 builds and ntp 4.2.6.p5 has the noquery added by default to block monlist it seems https://bugzilla.redhat.com/show_bug.cgi?id=1047854

 



> Miroslav Lichvar 2014-01-02 07:23:04 EST
> 
> The default ntp.conf included in our ntp packages has noquery in the default restrict line, which blocks the monlist command.


 



> Vincent Danen 2014-01-15 19:57:09 EST
> 
> Further to what Miroslav noted in comment #3, this can be verified by checking that the following are set in /etc/ntp.conf, which is the default in Red Hat Enterprise Linux and Fedora:
> 
> ...


 



> Tomas Hoger 2014-02-11 10:15:59 EST
> 
> The ntp packages as shipped with Red Hat Enterprise Linux are not affected by this issue in their default configuration.  The configuration defines the following default restrictions:
> 
> ...


----------



## Floris (Feb 26, 2014)

We are secured by 480Gbps DDOS protection, Problem eh?
Gotta love OVH!


----------



## KuJoe (Feb 26, 2014)

We had an 80Gbps attack for about an hour, I was expecting some packet loss but I didn't even notice it until I checked the logs later that day. I can't wait to get into our new data center and setup load balanced webservers again to load balance the attacks.


----------



## wlanboy (Feb 26, 2014)

Floris said:


> We are secured by 480Gbps DDOS protection, Problem eh?
> 
> 
> Gotta love OVH!


I thought that all OVH customers at all do have 480Gbps protection - or better said 3 x 160Gbps.

So if there are 10 x 40 Gbps attacks there is not much left of "your" protection.


----------



## Floris (Feb 26, 2014)

wlanboy said:


> I thought that all OVH customers at all do have 480Gbps protection - or better said 3 x 160Gbps.
> 
> So if there are 10 x 40 Gbps attacks there is not much left of "your" protection.


But to be honest, how big is that chance, that 10x40Gbps is sent out at once (on the same network)? Since only 4% of all the attacks launched untill september 2013 was "peaked" over 10Gbps


----------



## coreyman (Feb 27, 2014)

eva2000 said:


> Thanks Fran !
> 
> I checked on CentOS 6.5 builds and ntp 4.2.6.p5 has the noquery added by default to block monlist it seems https://bugzilla.redhat.com/show_bug.cgi?id=1047854


The whole time I was reading this thread I was wondering about this  Thanks for posting it here.


----------

