New DRDoS (Distributed Reflection Denial-of-Service) based on NTP, similar to the previous DNS open resolver based DDoS in 2013
The mechanism is to spoof UDP port 123 packets with a REQ_MON_GETLIST request, which will return the last 600 clients with NTP requests and hence the significant BAF - Bandwidth Amplification Factor. NTP is reflection-vulnerable as it does not validate the source IP of the sender.
Affected are all versions of ntpd prior to 4.2.7p26;
this last version has disabled support for MON_GETLIST
How to test if you are vunerable ?
ntpq -c rv
ntpdc -c sysinfo
ntpdc -n -c monlist
If the last command returns nothing then you’re OK.
If it returns a whole list of hostnames and IP addresses, then you know what time it is…
Solutions :
(1)
Download version 4.2.7p26 or later: ▻http://www.ntp.org/downloads.html
(2)
Disable queries: if update is not possible in your environment then a workaround is to disable status queries by adding to /etc/ntp.conf:
For IPv4 : restrict default kod nomodify notrap nopeer noquery
For IPv6: restrict -6 default kod nomodify notrap nopeer noquery
(restart ntpd after the change)
(3)
Allow status queries but disable “ntpdc –c monlist” via “disable monitor”
Either approach is a good idea because
(a) you protect your network from unwanted reconnaissance, as monlist is included in network tools such as NMAP or metasploit
(b) you avoid participating in DRDoS attacks and probably also suffering from it.
Official Security Reports :
NIST reference of the vulnerability
▻http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211
CERT vulnerability notice
▻http://www.kb.cert.org/vuls/id/348126
Other reports on this NTP DRDoS :
very good : "Understanding and mitigating NTP-based DDoS attacks" - ▻http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
"New DoS attacks taking down game sites deliver crippling 100Gbps floods" ▻http://arstechnica.com/security/2014/01/new-dos-attacks-taking-down-game-sites-deliver-crippling-100-gbps-flood
"Les attaques DDoS sur l’industrie du jeu mettent en lumière les faiblesses de sécurité du NTP" ▻http://www.pcworld.fr/jeux-video/actualites,attaques-ddos-steam-origin-league-leagends-planetside-guild-wars-
▻http://www.theregister.co.uk/2014/01/21/open_ntp_patching_project
Documentation :
"Hardening Cisco Routers - Chapter 10: NTP" - ▻http://oreilly.com/catalog/hardcisco/chapter/ch10.html
"Network Time Protocol (NTP): Overview and Configuration" - ▻http://e2epi.internet2.edu/npw/a2/ntp.pdf
▻http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
How NTP works :
▻http://www.eecis.udel.edu/~mills/ntp/html/warp.html
▻http://www.ntp.org
NTP RFCs :
– "RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification" ▻http://www.ietf.org/rfc/rfc5905.txt
– Ou la version Bortzmeyer, excellente dans son ample élaboration comme d’habitude : ►http://www.bortzmeyer.org/5905.html
– "RFC 5906: Network Time Protocol Version 4: Autokey Specification" ▻http://www.ietf.org/rfc/rfc5906.txt
– "RFC 5907: Definitions of Managed Objects for Network Time Protocol Version 4 (NTPv4)" ▻http://www.ietf.org/rfc/rfc5907.txt
– "RFC 5908: Network Time Protocol (NTP) Server Option for DHCPv6" ▻http://www.ietf.org/rfc/rfc5908.txt
#DRDoS
#DDoS
#BAF
#denial-of-service
#NTP
#reflection
#NMAP
#metasploit
#security
#vulnerability