Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
The NTP protocol is used to synchronise the clocks of machines connected to the internet. NTP receives time information from internal or external devices and uses UDP port 123. In addition to clock synchronisation, older versions of NTP provide a monitoring service that allows administrators to query the traffic count of an NTP server. A command called “monlist” sends the requester a list of the last 600 machines that connected to the queried server.
An NTP Amplification attack is a type of DDoS attack. In this type of attack, the attacker exploits public NTP (Network Time Protocol) servers to expose the target system’s network bandwidth to a packet count exceeding its upper limit, causing network slowdown or even a complete denial of service. This attack is a type of reflection attack. Reflection attacks involve a server sending a response to a spoofed IP address (the target IP address).
A DNS Amplification attack can be described as using the same technique — sending spoofed DNS requests to DNS servers. In a typical DNS Amplification attack, the ratio between request and response is 1:70. This means an attacker can generate 70 Gbps of traffic using only 1 Gbps. In an NTP Amplification attack, the ratio between request and response ranges from 1:20 to 1:200 — and even greater ratios are achievable. Any attacker can use tools such as Metasploit Framework or Open NTP Project to send spoofed requests to public NTP servers, flooding the target system’s network bandwidth and causing service disruption or complete denial of service.
An NTP Amplification attack is typically carried out by an attacker using multiple botnets. To execute the attack, only the target system’s IP address is required. The attacker assigns the target system’s IP address as the source IP address field of the malicious request sent to public NTP servers. Through botnets, the short malicious request sent to NTP servers (e.g. MON_GETLIST) causes those servers to send responses to the target system’s IP address. Each response sent will contain information about the last 600 machines that connected to the server.
The request sent to NTP servers triggers an amplification factor that results in a large response being generated. As a result, the target system is exposed to UDP traffic consisting of large response packets. The increase in packet count reaching the target system causes network bandwidth exhaustion, network traffic slowdown, and ultimately a denial of service on the target system.
By using botnets and sending requests over UDP, the attacker protects themselves. This is because UDP, unlike TCP, does not require a three-way handshake to transfer data. Since UDP has no identity verification or packet filtering, packets are transmitted in an insecure and fast manner. The use of botnets similarly serves to conceal the attacker’s identity. Victim machines that have been compromised using various security vulnerabilities and are referred to as “zombies” constitute botnets. The attacker can conceal themselves by routing malicious UDP requests through botnets to NTP servers.
All amplification attacks exploit the bandwidth asymmetry between the attacker and the targeted system. Bandwidth asymmetry means the attacker is capable of generating traffic that exceeds the target system’s upper bandwidth limit. By sending requests that elicit large responses, the bandwidth limit can be exceeded and the network infrastructure disrupted. Malicious requests can be sent using multiple botnets, which both amplifies the attack intensity and helps the attacker stay hidden.
An NTP Amplification attack can be carried out in five steps:
The five steps described above are illustrated in Figure 1.
In Figure 1, the attacker specifies the target system’s IP address as the source IP address within the crafted malicious UDP requests. The requests are sent to NTP servers via botnets using UDP. Because UDP packets do not require a handshake, the NTP server responds with a large reply without verifying the authenticity of the request. The response is sent to the source IP address contained within the request — which is the target system’s IP address. The target system is therefore exposed to large responses generated by UDP requests it never actually sent. NTP servers can be exploited as a significant resource for DDoS amplification attacks.
In Figure 2, Shodan is used to display NTP versions older than 4.2.7. Using the command port:123 protocolversion:3, a total of 6,096,865 NTP servers running on port 123 with protocol version 3 are listed.
DDoS attacks are carried out to take target systems offline. An NTP Amplification attack is one of the most effective DDoS techniques. To conduct an NTP Amplification attack, the following are required:
For sending requests to NTP servers, there is a DDoS tool called NTPDoser that performs NTP Amplification attacks. The NTPDoser tool is shown in Figure 3.
The NTPDoser tool can be downloaded by clicking the “Clone or Download” button and then selecting “Download ZIP”. Figure 4 shows the NTPDoser tool being cloned.
In Figure 4, the NTPDoser tool can be cloned rather than downloaded as a ZIP. In a Linux environment, the following command is run in the terminal to clone the repository: git clone https://github.com/DrizzleRisk/NTPDoser.git. Figure 5 shows the downloaded C++ source code being compiled.
In Figure 5, running the command gcc NTPDoser.cpp -o NTPDoser -lstdc++ -pthread compiles the NTPDoser.cpp file and produces the NTPDoser executable. The resulting NTPDoser executable is shown in Figure 6.
In Figure 6, an NTP Amplification attack is carried out using the NTPDoser tool. The attack is executed by running the command ./NTPDoser [target_IP] [thread_count] [attack_duration]. The command ./NTPDoser 104.18.40.10 3 10 launches an NTP Amplification attack against the IP address 104.18.40.10 from 3 different threads over a duration of 10 seconds.
ISPs can drop all traffic directed at the targeted system’s IP address using blackhole routing/filtering. This allows the ISP to protect itself while rendering the target system unreachable. The most common form of blackholing is routing traffic to an IP address belonging to a non-operational system or to an IP address not assigned to any system.
The number of NTP servers supporting the monlist command can be reduced, or the monlist command can be disabled. NTP software versions older than 4.2.7 should not be used in order to avoid the monlist vulnerability. Organisations running versions prior to 4.2.7 should update their NTP software. If a version upgrade is not possible, the server can be configured in accordance with US-CERT guidance.
By implementing source IP verification, spoofed packets leaving the network can be blocked. If a packet is being sent from inside the network with a source IP address that appears to be external, the packet is identified as spoofed and dropped. ISPs terminate traffic with spoofed IP addresses in order to block UDP-based amplification attacks.
Disabling the monlist command on NTP servers and applying ingress filtering on networks that allow spoofed IP addresses are the primary measures aimed at preventing amplification attacks.
You May Be Interested In These
