[ntp:questions] Bounce attack via pool server

Jure Sah dustwolfy at gmail.com
Mon Dec 23 13:37:49 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I am an administrator of a public NTP server joined to "pool.ntp.org".
Our server has recently been an unwilling party to a NTP UDP based
bounce attack and have received the report attached below.

I would like to continue offering my server in the pool, but I would
also like to secure my server configuration to prevent such attacks in
the future. I am unsure as to what exactly to do, as some of what is
suggested below (for example, turning off UDP support on the time
server) would most likely result in problems for pool users, if not
invalidate my NTP server for use in the pool altogether. I would like
my server to still be as useful as possible for everybody.

I am using ntpd version 4.2.6p3. I have searched trough the
www.pool.ntp.org website on the subject and could not find any general
recommendation for a secure setup, however I might not have been
looking in the right places.

Could anyone please help?

LP,
Jure

- --------------- attack report:
Date: 2013/12/23

You are running a public, high-numbered-stratum NTP server that
participated a very large-scale attack against a customer of ours this
morning, generating UDP responses to spoofed requests with bogus
timestamps that claimed to be from the attack target.

Please consider reconfiguring your NTP server in one of these ways:

- - To only serve your customers and not respond to outside IP
addresses. If it's a standalone installation, setting the service to
ignore all queries -- such as with "restrict default ignore" in
/etc/ntp.conf, if you run ntpd, or by a simple firewall rule to block
UDP to local port 123 -- would work well for this.
- - To rate-limit responses to individual source IP addresses
- - To limit queries to TCP-only
- - To ignore particularly unlikely queries, such as those representing
dates far in the future or past
- - To limit the size of allowed responses; today's were 440 bytes,
which were very large

Example NTP responses from your host during this attack are given
below. Times are PST (UTC-8), and the date is 2013-12-22.

14:35:28.826638 IP (tos 0x0, ttl 44, id 42294, offset 0, flags [DF],
proto UDP (17), length 468) my.ip.123 > 192.223.x.x.9985:
NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum
94, poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.001983, Reference-ID:
0.0.0.130
          Reference Timestamp:  128.000000000 (2036/02/06 22:30:24)
          Originator Timestamp: 1369389827.761623740 (2079/06/30 09:32:03)
          Receive Timestamp:    1.659240901 (2036/02/06 22:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  -1369389826.102382846
            Originator - Transmit Timestamp: -1369389827.761623740

14:35:28.826673 IP (tos 0x0, ttl 44, id 42295, offset 0, flags [DF],
proto UDP (17), length 468) my.ip.123 > 192.223.x.x.9985:
NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum
95, poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.000671, Reference-ID:
0.0.0.134
          Reference Timestamp:  128.000000000 (2036/02/06 22:30:24)
          Originator Timestamp: 637231583.761623740 (2056/04/17 08:14:39)
          Receive Timestamp:    1.517135798 (2036/02/06 22:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  -637231582.244487941
            Originator - Transmit Timestamp: -637231583.761623740
        0x0000:  4500 01d4 a537 4000 2c11 4008 c2f9 c61e  E....7 at .,. at .....
        0x0010:  c0df 1de2 007b 2701 01c0 2bd9 d75f 032a  .....{'...+.._.*
        0x0020:  0006 0048 0000 002c 0000 0086 0000 0080  ...H...,........
        0x0030:  0000 0003 25fb 61df c2f9 c61e 0000 0001  ....%.a.........
        0x0040:  8463 0304 0000 0000 0000 0000            .c..........

- -John
President
<unfortunate target ISP>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlK4PKcACgkQB6mNZXe93qh1fQCeKMYg3NEJ8EXstWZfjldQfuvz
dm0An3RANzmIotCWaxRA+huEZDKeBO/F
=u4L3
-----END PGP SIGNATURE-----



More information about the questions mailing list