[ntp:security] monlist reflective DDoS

Christian Rossow christian.rossow at gmail.com
Thu Aug 15 06:08:57 UTC 2013


Hi guys,

>> I started the scan yesterday and will come back to you when it's
>> finished (probably in about 2 days).
My complete /0 IPv4 NTP version scan finished yesterday. To be precise,
I sent a 12B request (hex: '16020001 00000000 00000000'), which is
exactly the request I captured from `ntpq -c rv`.

I imported the parsed responses to a database. Basically, I extracted
the 'version', 'system' and 'processor' values from the responses (if
any), and added an 'n/a' if no value was given.

In total I found ~7,000,000 devices that responded. Some statistics:


= NTP HOST OS =

 system    |  count
-----------+---------
 cisco     | 2922849 --> never return 'version' or 'processor' values
 Linux     | 1771920 --> run ntpd, mixed versions
 UNIX      | 1315978 --> return '4' as version; unclear what software
 FreeB     |  348790 --> run ntpd, mixed versions
 n/a       |  338678
 JUNOS     |  196858 --> run ntpd (typically ntpd 4.2.0-a)
 SunOS     |   17972
 NetBS     |   14912
 VMker     |   14015


= VERSIONS =

 version    |  count
------------+---------
 n/a        | 3292974 --> see 'cisco' systems, non-ntpd instances?
 4          | 1303982 --> see 'UNIX' system
 ntpd 4.2.4 |  956017
 ntpd 4.1.1 |  663750
 ntpd 4.2.0 |  286022
 ntpd 4.1.0 |  250577
 ntpd 4.2.6 |  141067
 ntpd 4.2.2 |   56209
 4.2.4p0    |   11297
 ntpd 4.1.2 |    6812



= PROCESSOR ARCHITECTURE =

         proc          |  count
-----------------------+---------
 n/a                   | 3283795 --> 'cisco' devices
 unknown               | 1317753 --> 'UNIX' devices
 mips                  | 1068654 --> routers?
 ppc                   |  424459
 i386                  |  367054
 x86_64                |  142872
 amd64                 |   97258
 i686                  |   85018
 powerpc               |   83666



This reveals the most significant overall NTP server setups:

 system |      proc       | s/w     |  count
--------+-----------------+---------+---------
 cisco  | n/a             | n/a     | 2922849
 UNIX   | unknown         | 4       | 1303394
 Linux  | mips            | ntpd    | 1062802
 Linux  | ppc             | ntpd    |  424396
 n/a    | n/a             | n/a     |  338662
 FreeB  | i386            | ntpd    |  269932
 Linux  | x86_64          | ntpd    |  129569
 JUNOS  | i386            | ntpd    |   85528
 Linux  | i686            | ntpd    |   84073
 JUNOS  | powerpc         | ntpd    |   83659
 FreeB  | amd64           | ntpd    |   78167
 Linux  | armv5tel        | ntpd    |   24597



Questions to you guys:
 * Do you know what NTP server is behind sys='UNIX' and ver='4'?
 * Do you know if Cisco uses ntpd? (BTW, I already found a security
contact at Cisco and will get in contact with them, too.)


Did you already discuss possible solutions internally? Harlan, you
mentioned a closed wiki earlier, I'd be happy to contribute there.

Cheers,
Christian


More information about the security mailing list