NTP-based DDoS Attack
DDoS attack (Distributed Denial-of-Service) is an action carried out with purpose of interrupting a server or internet resource to respond to its users. In DDoS attack, there are more than two persons or bots which attack the victim, by flooding the server with forged request, causing the server unable to respond to the actual request. In NTP-based DDoS attack, the attack is done with the help of open NTP server. What?
NTP (Network Time Protocol) is used for time synchronization between computer and other devices connected to the internet. NTP mostly used simple UDP, instead of the more secured TCP. UDP is a connection-less protocol, that does not need handshaking, and verification to establish transmission (Techwriters Future, 2009). This made NTP vulnerable to be abused by hacker for DDoS attack. Since most computer currently use NTP for synchronizing time, NTP is accepted by most computer. When, Who, Where?
NTP-based DDoS attack has grown from 2013, and publicly spread out in January 2014 by CloudFlare, a website security company (Graham-Cumming, 2014). According to them, they have succeeded on mitigating a 400 Gbps NTP-based DDoS attack against one of their customer’s website (Prince, 2014). This indicate NTP-based DDoS attack can be very powerful since most powerful DDoS attack previously recorded is around 300 Gbps (Constantin, 2013). The source of attack came from multiple network with unsecured NTP servers, which abused by the attacker. Most of the network that contribute on the attack came from China, followed by Europe and Asia (CloudFlare, 2014). How and Why?
NTP-based DDoS attack use amplification technique, same like DNS-based DDoS attack. The attacker sent a request to open NTP server with forged source IP address. This technique called, spoofing IP address. The forged IP address is actually belongs to the victim that targeted by the attacker, which leads to the NTP server send respond to the victim. To make things worse, the respond is usually much larger than the request, due to amplification technique. The attacker use the MONLIST command, which return 600 last contacted IP addresses by the NTP server. The amplification factor can be as big as 206x bigger than the request itself. This made higher DDoS traffic possible and easier. For example, if an attacker has 1 Gbps connection, they can theoretically produce at least 200 times more, which is 200 Gbps. Prevention
To prevent NTP-based DDoS attack, enhancing security on NTP server and the network it connected to, is the best way. Amplification NTP-based DDoS attack take advantage of MONLIST (or MON_GETLIST) command to generate last 600 IP addresses that interact with the server, which is very large in size. Therefore, the first way to prevent abuse of NTP server is to disable to MONLIST command itself. Since MONLIST command is not particularly useful either, there is no disadvantage for disabling it. In order to disable MONLIST command, add disable monitor on ntp.conf file, and restart the NTP process (S.Taher, 2013). NTP server will be secured from attacker who want to take advantage from MONLIST command for amplification attack. If editing NTP command is not a choice, there is an easier way, which is upgrade NTP version to at least version 4.2.7p26. The update brings many security improvement and bug fix, especially on MONLIST vulnerability, which is listed as bug in this version and has been resolved (Stenn, 2014). If MONLIST command functionality is needed, there is MRULIST command, which works like MONLIST but requires nonce to verify the command come from correct IP address (Graham-Cumming, 2014). In order to further improve NTP security, following BCP-38 will eliminate probability of source IP spoofing. BCP-38 followed by BCP-84 make routing device to test if the source IP address is possible to reach, therefore IP address spoofing can be minimized (US-CERT, 2014). Compared to Echo port 7
NTP use port...
References: CloudFlare. (2014, February). Retrieved from http://docs.google.com/spreadsheet/ccc?key=0AhuvvqAkGlindHFtS0pJa0lYZGNlLXNONWtlY01qanc&usp=sharing#gid=0
Constantin, L. (2013, March). Retrieved from InfoWorld: http://www.infoworld.com/article/2613446/internet/ddos-attack-against-spamhaus-was-reportedly-the-largest-in-history.html
Graham-Cumming, J. (2014, January). Retrieved from CloudFlare: http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/
Postel, J. (2002, May). Retrieved from ietf: http://tools.ietf.org/html/rfc347
Prince, M. (2014, February 13). Retrieved from CloudFlare: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
S.Taher, B. A. (2013, December). Retrieved from Internet Storm Center: http://isc.sans.edu/diary/NTP+reflection+attack/17300
Stenn, H. (2014, November). Retrieved from NTP: http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
Techwriters Future. (2009). UDP. Retrieved from IPV6: http://ipv6.com/articles/general/User-Datagram-Protocol.htm
US-CERT. (2014, January). Retrieved from US-CERT: http://www.us-cert.gov/ncas/alerts/TA14-017A
Please join StudyMode to read the full document