Search This Blog

Tuesday, January 14, 2014

NTP Cruft

Recently there have been numerous Distributed Denial of Service (DDoS) attacks utilizing the NTP protocol.This resurgence of DDoS attacks in the past few weeks have been noted by numerous security blogs, news outlets, and lists [1] [2] [3]. In addition, the folks on the oss-sec mailing list brought the issue into discussion, and MITRE assigned the issue CVE 2013-5211 [4].  Today, US-CERT/NCCIC issued TA14-013A noting the growing use of NTP for DDoS attacks and providing suggestions for mitigation of open NTP systems [5].

As originally noted by Cheetz, referencing HD Moore, NTP monlist requests return the last 600 IP addresses who queried the NTP server [6].  Attackers can leverage monlist to send crafted 8-byte NTP requests using spoofed sources to have the spoofed target receive approximately 6 packets with payload totaling 2,604 bytes [7] per NTP monlist request. In addition, the issue has been noted by Dave Hart on the ntp.org mailing list and bug tracker [8][9].  Unfortunately, it seems that the issue was resolved only in the DEV tree of NTP and not in the STABLE tree [8]. So, this is not something new.

All NTP systems publicly exposed on UDP port 123 and allowing NTP monlist requests are the culprit.  Adversaries can leverage this to send in spoofed UDP NTP monlist requests, where the responses are directed back to the targeted victim (spoofed source IP in the UDP packets). Utilized across a bot-net, the amplification would allow adversaries to cause a denial of service.

NTP systems can be hardened to not allow monlist requests. These are noted by Symantec and SANS [1] [2]. In addition, Team Cymru provides guidelines for securing NTP across popular devices and software [10]. You can scan routinely for open NTP  systems allowing monlist requests. Nmap's ntp-monlist.nse script can be used to conduct these scans [11]. So, take the time to scan your ranges routinely and follow proper guidelines to secure your NTP systems so the rest of us can sleep at night.

References:

[1] uulan. "Hackers Spend Christmas Break Launching Large Scale NTP-Reflection Attacks." Symantec Connect Blog, December 26, 2013. http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks

[2] SANS. "NTP Reflection Attack." SANS, ISC Diary, December 27, 2013. http://isc.sans.org/diary/NTP+reflection+attack/17300

[3] Kelly Higgins. "Attackers Wage Network Time Protocol-Based DDoS Attacks." Dark Reading, December 30, 2013. http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063

[4] CVE Assign, MITRE. "CVE to the ntp monlist DDoS issue?" oss-sec, December 30, 2013. http://seclists.org/oss-sec/2013/q4/573

[5] TA-14-013A: NTP Amplification Attacks Using CVE-2013-5211. US-CERT/NCCIC. January 14, 2014. https://www.us-cert.gov/ncas/alerts/TA14-013A

[6] Cheetz. "Using NTP to Enumerate Client IPs." April 29, 2010. https://www.securepla.net/using-ntp-to-enumerate-client-ips/

[7] An Analysis of DrDoS SNMP/NTP/CHARGEN Reflection Attacks: Part II of the DrDoS White Paper Series. Prolexic White Paper, Prolexic, p.12-18, 2012.

[8] Dave Hart. "Remove ntpd support for ntpdc's monlist (use ntpq's mrulist)". bugs.ntp.org, April 20, 2010. http://bugs.ntp.org/show_bug.cgi?id=1532

[9] Dave Hart. "Odd Surge in Traffic Today."  lists.ntp.org, December 10, 2011. http://lists.ntp.org/pipermail/pool/2011-December/005616.html

[10] Team Cymru. "Secure NTP Template." Team Cymru, 2014. http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

[11] jah. ntp-monlist NSE script. Nmap Project. http://nmap.org/nsedoc/scripts/ntp-monlist.html