NTP DDoS attacks

I got bit this week... was on holiday and when getting home, my Internet allowance was used up - 27GB in 2 days.

To cut a long story short, it was my fault - years ago I had a server with the NTP pool. Trouble was, I never changed the conf, so it was always open.

Anyway, after sorting that out, and locking down the door, I was still being hit by 100's of requests a minute.

The only way out was to get an IP change - sorted.

Here is a mail I got - please read to make sure you don't get hit by this - your ISP may not be so good to help out:

==================================

The following free online tool can be used to check your IP address:
http://support.ntp.org/ntpq.php

Administrators:
1. If you run ntpd, upgrading to the latest version, which removes the
"monlist" command that is used for these attacks; alternately, disabling the
monitoring function by adding "disable monitor" to your /etc/ntp.conf file.
2. Setting the NTP installation to act as a client only. With ntpd, that can
be done with "restrict default ignore" in /etc/ntp.conf; other daemons
should have a similar configuration option. More information on configuring
different devices can be found here:
https://www.team-cymru.org/ReadingRoom/Templates/sec...
3. Adjusting your firewall or NTP server configuration so that it only
serves your users and does not respond to outside IP addresses.

If you don't mean to run a public NTP server, we recommend #1 and #2. If you
do mean to run a public NTP server, we recommend #1, and also that you
rate-limit responses to individual source IP addresses -- silently
discarding those that exceed a low number, such as one request per IP
address per second. Rate-limit functionality is built into many
recently-released NTP daemons, including ntpd, but needs to be enabled; it
would help with different types of attacks than this one.

Fixing open NTP servers is important; with the 400x+ amplification factor of
NTP DRDoS attacks -- one 40-byte-long request usually generates 18252 bytes
worth of response traffic -- it only takes one machine on an unfiltered 1
Gbps link to create a 450+ Gbps attack!

============================================

Nick

I received the same email earlier and was a bit disapponted to discover that the router IOS I updated about three weeks ago to the latest version released on 22 Nov 2013 was vulnerable.

As yet there's no fix or workaround beyond disabling NTP on the router

Edited by caffn8me (Fri 14-Feb-14 17:51:21)

Does disabling NTP on a router prevent a network behind the router from accessing NTP servers in the www?

In reply to a post by Lethe:

https://www.team-cymru.org/ReadingRoom/Templates/sec...

Cheers for the heads up...
You might want to remove that pesky . from the URL above
http://www.team-cymru.org/ReadingRoom/Templates/secu... works better than yours

No, not it my case. What should happen is that you trust everything on local network, so requests to NTP server on the Internet will be allowed to reply - but cold queries to NTP server will be dropped.

Nick

In reply to a post by camieabz:

Does disabling NTP on a router prevent a network behind the router from accessing NTP servers in the www?

Not in this case. All it does is stops the timestamp on router logs being accurate as the router's own NTP service is not running. Machines inside the router still synchronize with external NTP servers without any problem.

If you are using your router as a firewall, disabling inbound NTP - (TCP and UDP port 123) should still not affect internal synchronization. I wouldn't imagine inbound NTP would be open unless explicitly configured.

Surely toy can just adjust the acl on the external interfaces to prevent inbound ntp from the internet in general?

First of all though, does the router open port 123 anyway?

Use the check here:

http://support.ntp.org/ntpq.php

and also do a scan to see what ports are open:

http://www.t1shopper.com/tools/port-scan/

Nick

Interesting� my setup is that this computer (the "main" one on the LAN, an iMac) uses ntpd to sync with one of the NPL public time servers, everything else on the LAN (including the router) gets its time from this computer (at least, those that give me a choice of server). All using IPv4.

Your first link shows that ntpd is accessible from the internet on this machine over IPv6 but returns zeroes over IPv4. Presumably that's due to not using NAT with IPv6- the link sees the router over IPv4, this machine over IPv6.

The second link only seems to know about IPv4 and says that port 123 on the router is not open.

So the OS X firewall appears to pass incoming IPv6 ntpd requests, not sure it's worth worrying about?

In reply to a post by ionic:

Surely toy can just adjust the acl on the external interfaces to prevent inbound ntp from the internet in general?

Not according to Cisco. Because NTP uses UDP it's quite easy to spoof the source address which can still result in the router being used for a DDoS attack. I'm sure they'll eventually come up with a fix.

Workaround:
There are no workarounds other than disabling NTP on the device.
<snip>

Warning: Because the feature in this vulnerability utilizes UDP as a
transport, it is possible to spoof the sender's IP address, which may defeat
access control lists (ACLs) that permit communication to these ports from
trusted IP addresses.