.jpg)
17 Mar 2014, Security by Micron21
Micron21 - NTPReflection (Amplification) DDoS Attack - Request Packet
The NTP reflection (or amplification) attack has become a prevailing and unfortunately persistent breed of DDoS attack over the last few months. Why?
NTP (Network Time Protocol) is used for system time synchronization. It is based on UDP transport (Port 123) and provides certain commands which are available to clients to request information.
It’s a relatively cheap and easy attack to launch using spoofed UDP based packets from a handful of hosts all the way to highly distributed botnets targeting NTP servers across the world which together can magnify the payload data request by up to 700x, forwarding the NTP response to the target network.
In our research, capturing a wild distributed request of spoofed attack packets towards an open and known NTP server (which is running version 4.2.7 or earlier) we have found the attack request payload is 50 bytes in length as per the below screen capture.
We have found that filtering for inbound UDP traffic on port 123 which are 50 bytes in length is one way to prevent the attack from reaching the destination NTP server which is used as the amplifier. Of course, this level of filtering assumes the request packet length stays at 50 bytes.
.jpg)
The above “unknown” attack took used clearly creates an attack request of 50 bytes in size however it’s origin is currently unknown.
Known attack tools produce the following attack requests.
Each attack took also gives the ability to increase the packet size by varying the amount of “offset” the attack has with the addition of adding zeroes.
The payload however is almost common amongst all attacks consisting of the hex string"\x17\x00\x03\x2a" . "\x00" x 4”
In contrast a normal NTP request for a time sync is about 90 bytes in size, which clearly allows the ability to block a normal requests vs monlist requests via packet analysis matching techniques.
Below is a timeline example of a single server precipitating in a 50 byte NTP DDoS reflection attack.
An NTP client can issue amonlistcommand to query the IP addresses of the last 600 clients which have synchronized time with the targeted NTP server. In this way, it only requires a small request packet to trigger sequencing UDP response packets that contain active IP addresses and the other data. This allows the attacker to launch a 700x NTP amplification attack by spoofing the source IP address. Based on a list compiled by the NSFOCUS Threat Response Center, there are more than 400,000 NTP servers around the world that can be used in NTP amplification attacks.
The above article information & analytical work has been conducted by James Braunegg and Roland Dobbins 2014
Simple, transparent pricing from Australia's leading cloud provider