ntp defense -- protecing left-alone protocol
DESCRIPTION
The presentation aims to give audience detail hacks of recent NTP surge attacks and how to mitigate them. It will give audience detail description on how NTP works and how the AutoKey Feature can be implemented to safeguard your NTP servers.TRANSCRIPT
NTP Defense
Mustafa Golam
NTP amplification attacks work similar to UDP amplification attacks. The attacker sends a small packet with spoofed source information via UDP to the NTP server. This packet contains a command like ‘monlist’ which requests a a large amount of data from the NTP server. The NTP server sends this data to the spoofed source in the original small packet. In effect, a few bytes of data can generate megabytes worth of traffic.
Common NTP Attack Signature
Fixing the Problem 1. update NTP to version 4.2.7.
This removes the ‘monlist’ command.
2. You can disable querying via a configuration change:
# grep -ai query /etc/ntp.conf# Prohibit general access to this service.restrict default ignorerestrict xxx.xxx.xxx.xxx mask 255.255.255.255 nomodify notrap noquery
This will prevent your NTP server from being leveraged to launch DDoS attacks against other networks.
3. Enable NTP Autokey. Information can be in subsequent Slides. This is supported in version 4.2.6 or later.Check this Link:http://support.ntp.org/bin/view/Support/ConfiguringAutokey
NTP Reflection
Over the last few weeks (26th Dec, 2013) Symantec has seen a significant spike in NTP reflection attacks across the Internet.
Tardis and Trinity College, Dublin Problem:
Copies of a program called Tardis with thousands of copies around the world contacting the web server and obtaining a timestamp via HTTP.
Solution: modify the web server configuration so as to deliver
a customized version of the home page (greatly reduced in size)
Return a bogus time value, which caused most of the clients to choose a different time server.
Release version of Tardis to correct for this problem.
Notable cases (1)
NETGEAR and the University of Wisconsin–Madison Problem:
NETGEAR Hardcoded UWM’s NTP Servers’ address in their Product Line DG814, HR314, MR814 and RP614, counting total 707,147 gears who would send SNTP Request to those servers every second until they get response. It resulted peak traffic of 250,000 packets-per-second (150 megabits per second) by June, 2013.
Solution: Firmware Code Update to query SNTP Agents to NETGEAR's
own servers, poll only once every ten minutes, and give up after five failures.
NETGEAR has donated 375,000 USD to the UWM. Similar Problem between ‘SMC and CSIRO’.
Notable cases (2)
swisstime.ethz.ch and the Providers Problem: For over 20 years ETH Zurich has provided open access to the time
server swisstime.ethz.ch for operational time synchronization. Due to excessive bandwidth usage, averaging upwards of 20 GB /
day, it has become necessary to direct external usage to public time server pools,such as ch.pool.ntp.org.
Misuse, caused mostly by IT-providers synchronizing their client infrastructures, has made unusually high demands on network traffic, thereby causing ETH to take effective measures.
Solution: As of Fall 2012 the availability of swisstime.ethz.ch has been
changed to Closed Access. Since beginning of July 2013 access to the server is blocked
entirely for the ntp protocol.
Notable cases (3)
D-Link and Poul-Henning Kamp Problem: Poul-Henning Kamp was manager of Danish Str1 NTP server . By convention, Stratum 1 time servers should only be used by applications
requiring extremely precise time measurements, such as scientific applications or Stratum 2 servers with a large number of clients.
PHK observed a huge rise in traffic and discovered that between 75 and 90% was originating with D-Link's router products.
Kamp contacted D-Link in November 2005, hoping to get them to fix the problem and compensate him for the time … …
Solution: After going public, Kamp realized that D-Link routers were directly querying
other Stratum 1 time servers, violating the access policies of at least 43 of them in the process. ..
On April 27, 2006, D-Link and Kamp announced that they had "amicably resolved" their dispute…
Notable cases (3)
Mitigating 80 Gbps Attacks – NTP Amplification Attacks on the Rise: The recent wave of attacks on EA, Riot Games, Blizzard, Valve, and many
others in the past few weeks have utilized a very uncommon attack technology. These attacks are similar in nature to DNS amplification attacks. Those attacks leveraged misconfigured DNS servers to launch very large attacks. We’re now faced with a similar situation with NTP.
Ref: http://arstechnica.com/security/2014/01/new-dos-attacks-taking-down-ga
me-sites-deliver-crippling-100-gbps-floods/
http://www.reddit.com/r/gaming/comments/1uacp8/derptrolling_is_currently_ddos_on_steam_and_ea/
http://thehackernews.com/2014/01/ddos-attack-NTP-server-reflection-protection.html
http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063
Recent Attacks on Gaming Servers
What is NTP?
NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network. If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.
NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.
(S)NTP server addresses hardcoded in the firmware of consumer networking devices.
Generate query packets at short (less than 5 s) intervals until a response is received.
Such grossly over-eager clients (particularly those polling once per second) commonly make up more than 50% of the traffic of public NTP servers, despite being a minuscule fraction of the total clients.
Common NTP client problems
Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address.
In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:
How do NTP reflection attacks work?
[root@server ~]# ntpdc -c monlist [hostname]remote address port local address count m ver code avgint lstint===============================================================================localhost.localdomain 53949 127.0.0.1 1 7 2 0 0 0tock.usshc.com 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 53198.52.198.248 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 54rook.slash31.com 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 55eightyeight.xmission.c 123 xxx.xxx.xxx.xxx 1 4 4 5d0 0 56
Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module.
ntpdc -c monlist [hostname]
The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely. If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file. This will disable access to mode 6 and 7 query packetts (which includes monlist).
By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack.
More Reading on NTP Security:http://www.eecis.udel.edu/~mills/security.html
How can you protect your servers?
Q&A??
Thank You!!