The DDoS war is ramping up with the use of network time protocol (NTP) amplification to paralyse, not just individual organisation’s networks, but potentially large proportions of general internet traffic.

The largest ever DDoS attack to date with a DNS amplification hit the anti-spam company, Spamhaus last year. This attack reached 300 Gbps, taking Spamhaus offline and also affecting the DDoS mitigation firm, CloudFare. With the volume of traffic that was going through peering exchanges and transit providers, the attack also slowed down internet traffic for everyone else.

However, in the last couple of months these UDP amplification attacks seem to have moved on to NTP, taking advantage of an exploit available in older, unpatched NTP systems. These servers are usually used for time synchronisation and utilise the UDP protocol on port 123. Like DNS, they will respond to commands issued by any client to query certain information, unless they are properly secured.

These attack styles are not new, but their historically infrequent usage and the potential for mass disruption means they warrant more attention. Coverage of these attack styles in both industry and mainstream press is to be welcomed in my opinion, because these attacks are relatively defensible and coverage will hopefully get more administrators to secure or patch their NTP servers.

What is all the fuss about?
DNS amplification attacks ramp up the power of a botnet when targeting a victim. The basic technique of a DNS amplification attack is to spoof the IP address of the intended target and send a request for large DNS zone files to any number of open recursive DNS servers.

The DNS server then responds to the request, sending the large DNS zone answer to the attack target rather than the attacker, because the source IP was spoofed. The DNS amplification attack on Spamhaus saw request data (the data the attacker sent to the DNS servers) of roughly 36 bytes in length, while the response data (the data from the DNS server to the attack target) was around 3000 bytes, meaning the attackers increased the bandwidth used by 100x. Not only is that a large increase in attack bandwidth, but these packets from the DNS servers arrive at the target in a fragmented state due to their large size and have to be reassembled, which ties up the routing resources as well.

NTP amplification attacks work by spoofing the IP of the attack target and sending a ’monlist’ command request to the NTP servers. This command will return the IP addresses of the last 600 clients that have used the NTP server to synchronise time. By issuing this command a small request packet can trigger much larger UDP response packets containing active IP addresses and other data.

The volume of the response data is related to the number of clients that communicate with any particular NTP server. This means that a single request which consists of a single 64-byte UDP packet can be increased to 100 responses each, which contain the last 600 client IP addresses that have synchronised with the server. Each of those 100 responses will be a UDP packet of around 482 bytes which gives the attacker a bandwidth amplification of around 700x [482 bytes x 100 responses = 48200 bytes / 64 bytes = 753.125].

With this level of amplification available and several popular DDoS attack tools already including a module for abusing ’monlist’ we could be on for a new record in DDoS attack size this year unless the vulnerabilities are patched soon.

For example, if DNS amplification created a 300 Gbps, then NTP amplification means we could potentially see a 2.1 Tbps (21,000 Gbps) attack. There is no network that could absorb an attack of that size; it would have an enormous knock-on effect on general Internet traffic as the Spamhaus attack did with peering points, transit providers and content delivery networks being overloaded.

This isn’t to say that DNS and NTP are the only amplification attack methods. There are other amplification and reflection-style tactics as well and, while not as popular as more tried-and-true DDoS methods, they represent a real threat if you are not prepared for them.

Fixing the problem
The easiest way to fix this and remove your NTP servers from being an attack vector for a DDoS is to update your NTP servers to version 4.2.7 which removes the ‘monlist’ command. Otherwise you can disable query within your NTP server via a configuration change:

  • nano /etc/ntp.conf [Your configuration file might be located elsewhere]
  • #Restrict general access to this device
  • Restrict default ignore
  • Restrict mask nomodify notrap
  • Noquery

This change will prevent your NTP server from being used to launch DDoS attacks against other networks, but an update to the latest version is still recommended.

DDoS attacks have been around in one form or another since the very beginnings of the internet, but the motivations, as well as the scale of these attacks seem to have grown significantly.

In the early days it was just extortion; a hacker would ask for payment to stop the attacks. Nowadays, some businesses may pay for competitors to be attacked, as a few hours offline could be worth millions. You also have DDoS being used as a method of political activism by groups such as Anonymous, as well as the potential for a government to use DDoS to disrupt another country’s infrastructure.

Systems administrators need to ensure their systems are reviewed regularly for patches and known vulnerabilities. If systems are left unpatched then at best you can be used as a vector to attack another network or organisation, but at worst those vulnerabilities could be exploited to take your systems offline or steal your data.

Posted by David Barker, technical director of 4D Hosting