[ntp:questions] Public ntp-server and reflection-attacks

theservman at gmail.com theservman at gmail.com
Thu Nov 21 19:09:27 UTC 2013


On Thursday, 21 November 2013 11:42:39 UTC-5, Rudolf E. Steiner  wrote:
> Hi.
> 
> 
> 
> We have strong reflection-attacks on our public timeserver ("ntpd 4.2.6p5").
> 
> 
> 
> The strange behavior is the server received one packet and sends 100 packets
> 
> to the target.
> 
> 
> 
> Incoming packet:
> 
> 
> 
> ----- begin -----
> 
> Network Time Protocol (NTP Version 2, private)
> 
> Flags: 0x17
> 
> 0... .... = Response bit: Request (0)
> 
> .0.. .... = More bit: 0
> 
> ..01 0... = Version number: NTP Version 2 (2)
> 
> .... .111 = Mode: reserved for private use (7)
> 
> 
> 
> Auth, sequence: 0
> 
> 0... .... = Auth bit: 0
> 
> .000 0000 = Sequence number: 0
> 
> 
> 
> Implementation: XNTPD (3)
> 
> 
> 
> Request code: MON_GETLIST_1 (42)
> 
> ----- end -----
> 
> 
> 
> First outgoing packet:
> 
> 
> 
> ----- begin -----
> 
> Network Time Protocol (NTP Version 2, private)
> 
> Flags: 0xd7
> 
> 1... .... = Response bit: Response (1)
> 
> .1.. .... = More bit: 1
> 
> ..01 0... = Version number: NTP Version 2 (2)
> 
> .... .111 = Mode: reserved for private use (7)
> 
> 
> 
> Auth, sequence: 0
> 
> 0... .... = Auth bit: 0
> 
> .000 0000 = Sequence number: 0
> 
> 
> 
> Implementation: XNTPD (3)
> 
> 
> 
> Request code: MON_GETLIST_1 (42)
> 
> ----- end -----
> 
> 
> 
> Second outgoing packet:
> 
> 
> 
> ----- begin -----
> 
> Network Time Protocol (NTP Version 2, private)
> 
> Flags: 0xd7
> 
> 1... .... = Response bit: Response (1)
> 
> .1.. .... = More bit: 1
> 
> ..01 0... = Version number: NTP Version 2 (2)
> 
> .... .111 = Mode: reserved for private use (7)
> 
> 
> 
> Auth, sequence: 1
> 
> 0... .... = Auth bit: 0
> 
> .000 0001 = Sequence number: 1
> 
> 
> 
> Implementation: XNTPD (3)
> 
> 
> 
> Request code: MON_GETLIST_1 (42)
> 
> ----- end -----
> 
> 
> 
> [...]
> 
> 
> 
> Last outgoing packet:
> 
> 
> 
> ----- begin -----
> 
> Network Time Protocol (NTP Version 2, private)
> 
> Flags: 0x97
> 
> 1... .... = Response bit: Response (1)
> 
> .0.. .... = More bit: 0
> 
> ..01 0... = Version number: NTP Version 2 (2)
> 
> .... .111 = Mode: reserved for private use (7)
> 
> 
> 
> Auth, sequence: 99
> 
> 0... .... = Auth bit: 0
> 
> .110 0011 = Sequence number: 99
> 
> 
> 
> Implementation: XNTPD (3)
> 
> 
> 
> Request code: MON_GETLIST_1 (42)
> 
> ----- end -----
> 
> 
> 
> This means, the attacker sends _one_ packet and gets _100_ packets to his
> 
> target.
> 
> 
> 
> How can I disable this behavior of ntpd?
> 
> 
> 
> -- 
> 
> Rudolf E. Steiner
> 
> res-usenet at communicate.at

We got hit by the same thing today, right around noon. I don't have detailed packet captures like Rudolph (thanks for that, BTW) but my 100Mbps pipe was completely filled from these requests. Shutting down NTP on my two public servers stopped it.

I've since implemented Michael's suggestion and I will be re-opening port 123 in the firewall... maybe later...

Ian



More information about the questions mailing list