[ntp:security] monlist reflective DDoS

Danny Mayer mayer at pdmconsulting.net
Sun Aug 11 02:33:13 UTC 2013

On 8/9/2013 3:18 AM, Christian Rossow wrote:
> You can try a subset of them:
> $ NTPQRY="\x17\x00\x03\x2a\x00\x00\x00\x00"
> $ echo -ne "${NTPQRY}" | nc -u 123 -w 1 | wc -c
> 38280
> $ echo -ne "${NTPQRY}" | nc -u 123 -w 1 | wc -c
> 29848
> $ echo -ne "${NTPQRY}" | nc -u 123 -w 1 | wc -c
> 12688
> $ echo -ne "${NTPQRY}" | nc -u 123 -w 1 | wc -c
> 16576

If you use ntpq -c rv you would be able to tell that these
systems are running old versions of NTP. The first two are running 4.2.0
while the latter two are running 4.2.4p5. That means you must be running
mode 7 packets. monlist is a ntpdc option which uses mode 7 (private
mode) packets. New versions of ntpd have moved this to ntpq which uses
mode 6 packets and I believe that there's a confirmatory packet sent
before returning the list. Harlan was going to confirm that.

> I can share further IPs or .pcaps upon request.
> The responses suggest NTP implementation 0x03, for which Wireshark tells
> me is xntpd. I also successfully tested this request on my Fedora
> machine, which runs an ntpd v4.2.6p5.
Not necessarily. See the output of ntpq. The response may set the
version to 3 but it doesn't mean that's what it's running.

>> Is this mode 7 or mode 6 requests?
>> We think that the mode 7 monlist request is a no-op, and the mode 6
>> request requires a nonce exchange before the monlist response is sent.
>> But we might have missed something.
> Not sure what you mean. The request code is 42 (MON_GETLIST_1). Maybe
> you can answer this from the NTPQRY above.

Based on the versions of the servers you are sending mode 7 packets and
that is a known issue. Someone would have to dig up the information on
this but is known.

>> I would hope that if we have missed something and your observation is
>> correct that you'll coordinate your publication with CERT before making
>> this information public.
> Yes, certainly. The publication cycle is awfully slow (~6 months from
> now). As soon as you and me agree that this is indeed something severe
> we can start coordinating with CERTs.

We cannot force people to upgrade their versions of ntpd and there may
very well be a CERT already on this. I seem to recall that you can
disable mode 7 packets, but I'll leave it to Harlan to confirm.

What conference is this for?


More information about the security mailing list