[ntp:security] monlist reflective DDoS

Christian Rossow christian.rossow at gmail.com
Fri Aug 9 07:18:36 UTC 2013


>> Have you heard of any DRDoS attacks likes this?
> No, and have you actually tested this?  If so, exactly how?
I've scanned 1 million random hosts in the IPv4-advertized space, which
is approx. 1/2700th of all advertized IPs. For each host, I sent an
8-byte-long monlist request to UDP port 123. In total, 552 servers
responded, 115 of which with more than 1 packet and 1kB. Extrapolating
this to the IPv4 space (ignoring IPv6 for now) this gives ~1,490,000
servers that respond, of which 310,000 respond with more than 1kB to an
8B request. Note that I sent only a single packet -- no nonces/session.

You can try a subset of them:
$ NTPQRY="\x17\x00\x03\x2a\x00\x00\x00\x00"
$ echo -ne "${NTPQRY}" | nc -u 123 -w 1 | wc -c
$ echo -ne "${NTPQRY}" | nc -u 123 -w 1 | wc -c
$ echo -ne "${NTPQRY}" | nc -u 123 -w 1 | wc -c
$ echo -ne "${NTPQRY}" | nc -u 123 -w 1 | wc -c

I can share further IPs or .pcaps upon request.

The responses suggest NTP implementation 0x03, for which Wireshark tells
me is xntpd. I also successfully tested this request on my Fedora
machine, which runs an ntpd v4.2.6p5.

> Is this mode 7 or mode 6 requests?
> We think that the mode 7 monlist request is a no-op, and the mode 6
> request requires a nonce exchange before the monlist response is sent.
> But we might have missed something.
Not sure what you mean. The request code is 42 (MON_GETLIST_1). Maybe
you can answer this from the NTPQRY above.

> I would hope that if we have missed something and your observation is
> correct that you'll coordinate your publication with CERT before making
> this information public.
Yes, certainly. The publication cycle is awfully slow (~6 months from
now). As soon as you and me agree that this is indeed something severe
we can start coordinating with CERTs.

So -- what do you think?


More information about the security mailing list