Subject: [SIR-Mail] No.887: Exploitable NTP server used for an attack: LJEC From: David Cisneros Estimados colegas y amigos, Sobre los riesgos y amenazas provenientes del protocolo NTP ( Network Time Protocol ) ”NTP es un protocolo basado en un sistema cliente-servidor. Provee a los clientes con tres productos fundamentales: clock offset , round-trip delay y referencia de dispersiĆ³n. El offset especifica la diferencia entre la hora del sistema local y la referencia externa de reloj. Round-trip delay especifica las latencias de tiempo medidas durante la transferencias de paquetes dentro de la red.” Confirmo que la estacion permanente ubicada en la ciudad de Loja Ecuador - LJEC, ha sido victima de este ataque. El receptor ubicado en LJEC, es un NetR9 conectado a una IP Publica. Colegas de TRIMBLE recomiendan cancelar/deshabilitar los siguientes protocolos/servicios: NTP PROXY DNS en el caso puntual del receptor NetR9, se ejecuta los cambios de manera local y/o remota a traves del servidor web http del equipo/ menu Configuracion de Red De momento todas las estaciones REGME Ecuador adoptaron estos cambios en la configuracion, a fin de prevenir y evitar ataques NTP como los reportados en la estacion LJEC. Debajo incluyo detalles tecnicos del ataque detectado. Saludos, David Cisneros REGME IGM - Ecuador ------------------------------------------ Dear colleagues and friends, About the risks and threats from the NTP ( Network Time Protocol) ” NTP is based on a client - server protocol system provides customers with three key products . Clock offset, round- trip delay and dispersion reference The offset specifies the difference between the local system and the external reference . clock . Round- trip delay time specified latencies measures during packet transfers within the network . ” I confirm that the permanent station located in the city of Loja Ecuador - LJEC , has been the victim of this attack . The sensor located in LJEC is a NetR9 receiver connected to an IP Public . TRIMBLE colleagues Recommend cancel / disable the following protocols / services: NTP PROXY DNS in the specific case of NetR9 receiver changes runs locally and / or remotely through the web http server sensor / Network Setup menu Currently all stations REGME Ecuador adopted these changes to the configuration, in order to prevent and avoid NTP attacks as reported in the LJEC station . Below I include technical details of the detected attack. Regards, David Cisneros REGME IGM - Ecuador ---------- Forwarded message ---------- From: NFOservers.com DDoS notifier < ddos-response@nfoservers.com > Date: 2014-02-11 3:55 GMT-05:00 Subject: Exploitable NTP server used for an attack: 200.0.31.131 To: abuse@utpl.edu.ec A public NTP server on your network, running on IP address 200.0.XX.XXX, participated in a very large-scale attack against a customer of ours today, generating UDP responses to spoofed ”monlist” requests that claimed to be from the attack target. Please consider reconfiguring this NTP server in one or more of these ways: 1. If you run ntpd, upgrading to the latest version, which removes the ”monlist” command that is used for these attacks; alternately, disabling the monitoring function by adding ”disable monitor” to your /etc/ntp.conf file. 2. Setting the NTP installation to act as a client only. With ntpd, that can be done with ”restrict default ignore” in /etc/ntp.conf; other daemons should have a similar configuration option. More information on configuring different devices can be found here: https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html . 3. Adjusting your firewall or NTP server configuration so that it only serves your users and does not respond to outside IP addresses. If you don´t mean to run a public NTP server, we recommend #1 and #2. If you do mean to run a public NTP server, we recommend #1, and also that you rate-limit responses to individual source IP addresses -- silently discarding those that exceed a low number, such as one request per IP address per second. Rate-limit functionality is built into many recently-released NTP daemons, including ntpd, but needs to be enabled; it would help with different types of attacks than this one. Fixing open NTP servers is important; with the 400x+ amplification factor of NTP DRDoS attacks -- one 40-byte-long request usually generates 18252 bytes worth of response traffic -- it only takes one machine on an unfiltered 1 Gbps link to create a 450+ Gbps attack! If you are an ISP, please also look at your network configuration and make sure that you do not allow spoofed traffic (that pretends to be from external IP addresses) to leave the network. Hosts that allow spoofed traffic make possible this type of attack. Further reading: https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks https://isc.sans.org/forums/diary/NTP+reflection+attack/17300 http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks You can find more vulnerable servers on a network through this site: http://openntpproject.org/ Example NTP responses from the host during this attack are given below. Timestamps (far left) are PST (UTC-8), and the date is 2014-02-11. 00:48:44.370779 IP 200.0.XX.XXX.123 > 192.223.24.x.25565: NTPv2, Reserved, length 440 0x0000: 4500 01d4 62c4 0000 3a11 5b96 c800 1f83 E...b...:.[..... 0x0010: c0df 185c 007b 63dd 01c0 7e1d d700 032a ....{c...~....* 0x0020: 0006 0048 0000 0001 0000 0000 0000 0180 ...H............ 0x0030: 0000 0074 c0df 185c c800 1f83 0000 0001 ...t........... 0x0040: 63dd 0702 0000 0000 0000 0000 c........... 00:48:44.370819 IP 200.0.XX.XXX.123 > 192.223.24.x.25565: NTPv2, Reserved, length 440 0x0000: 4500 01d4 62c5 0000 3a11 5b95 c800 1f83 E...b...:.[..... 0x0010: c0df 185c 007b 63dd 01c0 35bb d701 032a ....{c...5....* 0x0020: 0006 0048 0000 0016 0000 002f 0000 0180 ...H......./.... 0x0030: 0000 0014 4722 47f8 c800 1f83 0000 0001 ....G”G......... 0x0040: 0050 0702 0000 0000 0000 0000 .P.......... 00:48:44.370868 IP 200.0.XX.XXX.123 > 192.223.24.x.25565: NTPv2, Reserved, length 440 0x0000: 4500 01d4 62c6 0000 3a11 5b94 c800 1f83 E...b...:.[..... 0x0010: c0df 185c 007b 63dd 01c0 720c d702 032a ....{c...r....* 0x0020: 0006 0048 0000 0027 0000 0132 0000 0180 ...H...´...2.... 0x0030: 0000 0050 c692 3565 c800 1f83 0000 0001 ...P..5e........ 0x0040: 0050 0702 0000 0000 0000 0000 .P.......... 00:48:44.370905 IP 200.0.31.XXX.123 > 192.223.24.x.25565: NTPv2, Reserved, length 440 0x0000: 4500 01d4 62c7 0000 3a11 5b93 c800 1f83 E...b...:.[..... 0x0010: c0df 185c 007b 63dd 01c0 2643 d703 032a ....{c...&C...* 0x0020: 0006 0048 0000 0010 0000 01d5 0000 0180 ...H............ 0x0030: 0000 0028 46a9 66ae c800 1f83 0000 0001 ...(F.f......... 0x0040: 0050 0702 0000 0000 0000 0000 .P.......... 00:48:44.370955 IP 200.0.31.XXX.123 > 192.223.24.x.25565: NTPv2, Reserved, length 440 0x0000: 4500 01d4 62c8 0000 3a11 5b92 c800 1f83 E...b...:.[..... 0x0010: c0df 185c 007b 63dd 01c0 a980 d704 032a ....{c........* 0x0020: 0006 0048 0000 0007 0000 036c 0000 0180 ...H.......l.... 0x0030: 0000 0073 5e17 7965 c800 1f83 0000 0001 ...s^.ye........ 0x0040: 0015 0702 0000 0000 0000 0000 ............ 00:48:44.372580 IP 200.0.XX.XXX.123 > 192.223.24.x.25565: NTPv2, Reserved, length 440 0x0000: 4500 01d4 62c9 0000 3a11 5b91 c800 1f83 E...b...:.[..... 0x0010: c0df 185c 007b 63dd 01c0 2d6c d705 032a ....{c...-l...* 0x0020: 0006 0048 0000 0008 0000 0555 0000 0180 ...H.......U.... 0x0030: 0000 000c 05ef afe6 c800 1f83 0000 0001 ................ 0x0040: 05e9 0702 0000 0000 0000 0000 ............ (The final octet of our customer´s IP address is masked in the above output because some automatic parsers become confused when multiple IP addresses are included. The value of that octet is ”92”.) -John President Nuclearfallout, Enterprises, Inc. (NFOservers.com)