Mechanics of the NTP DDoS Attack.
Micron21 - NTPReflection (Amplification) DDoS Attack - Request Packet
The NTP reflection (or amplification) attack has become a prevailing and unfortunately persistent breed of DDoS attack over the last few months. Why?
NTP (Network Time Protocol) is used for system time synchronization. It is based on UDP transport (Port 123) and provides certain commands which are available to clients to request information.
It’s a relatively cheap and easy attack to launch using spoofed UDP based packets from a handful of hosts all the way to highly distributed botnets targeting NTP servers across the world which together can magnify the payload data request by up to 700x, forwarding the NTP response to the target network.
In our research, capturing a wild distributed request of spoofed attack packets towards an open and known NTP server (which is running version 4.2.7 or earlier) we have found the attack request payload is 50 bytes in length as per the below screen capture.
We have found that filtering for inbound UDP traffic on port 123 which are 50 bytes in length is one way to prevent the attack from reaching the destination NTP server which is used as the amplifier. Of course, this level of filtering assumes the request packet length stays at 50 bytes.
The above “unknown” attack took used clearly creates an attack request of 50 bytes in size however it’s origin is currently unknown.
Known attack tools produce the following attack requests.
- ntpdos.py makes a default request packet of 60 bytes in size
- ntp_monlist.py makes a default request packet of 234 bytes in size
- monlist from ntpdc makes a default request packet of 234 bytes in size
Each attack took also gives the ability to increase the packet size by varying the amount of “offset” the attack has with the addition of adding zeroes
The payload however is almost common amongst all attacks consisting of the hex string"\x17\x00\x03\x2a" . "\x00" x 4”
In contrast a normal NTP request for a time sync is about 90 bytes in size, which clearly allows the ability to block a normal requests vs monlist requests via packet analysis matching techniques.
NTP Reflection (Amplification) DDoS Attack Example Edge Packet Filtering
Below is a timeline example of a single server precipitating in a 50 byte NTP DDoS reflection attack.
1 – Normal Traffic to the server
2 – At 8:30am you will notice 10mbits of inbound traffic and about 90mbits of outbound traffic.
Typically you would see even greater amplification however this physical NTP open relay was configured with a 90mbits rate outbound limit
At 9:30am NTP was disabled on the server and all outbound traffic stopped, however inbound traffic was still being received
3 – At 9:40am NTP was enabled for 5 minutes following monlist being disabled
4 – At 9:45am Once monlist was disabled from the open NTP relay outbound traffic from the host stopped
5 – At 11:00am Edge filtering was applied for all inbound requests blocking NTP based packets 50 bytes in size matching for \x17\x00\x03\x2a resulting in all inbound requests not reaching the destination host.
An NTP client can issue amonlistcommand to query the IP addresses of the last 600 clients which have synchronized time with the targeted NTP server. In this way, it only requires a small request packet to trigger sequencing UDP response packets that contain active IP addresses and the other data. This allows the attacker to launch a 700x NTP amplification attack by spoofing the source IP address. Based on a list compiled by the NSFOCUS Threat Response Center, there are more than 400,000 NTP servers around the world that can be used in NTP amplification attacks.
The above article information & analytical work has been conducted by James Braunegg and Roland Dobbins 2014