[bdNOG] Recent NTP Attacks and OpenNTPProject.org

Wed Feb 19 11:49:46 BDT 2014

Greetings,

With the recent increase in NTP attacks, we  wanted to share some
information to  the bdNOG community of a few things:

There are about 1.2-1.5 million of these servers out there.

1) You can search your IP space to find NTP servers that respond to the
'MONLIST' queries.

2) I've found some vendors have old embedded versions of NTP including
ILO/Service Processors and other parts of the "internet of things".

3) You want to upgrade NTP, or adjust your ntp.conf to include 'limited' or
'restrict' lines or both.  (I defer to someone else to be an expert in this
area, but am willing to learn :) )

4) Please prevent packet spoofing where possible on your network.  This
will limit the impact of spoofed NTP or DNS (amongst others) packets from
impacting the broader community.

5) Some vendors don't have an easy way to alter the ntp configuration, or
have not or won't be updating NTP, you may need to use ACLs, firewall
filters, or other methods to block this traffic.  I've heard of many
routers being used in attacks impacting the CPU usage.

Take a moment and see if your devices respond to the following
query/queries:

ntpdc -n -c monlist 10.0.0.1
ntpdc -n -c loopinfo 10.0.0.1
ntpdc -n -c iostats 10.0.0.1

6) If you do VMs/Servers and have a template, please make sure that they do
not respond to NTP requests.

Please consider reconfiguring this NTP server in one or more of these ways:

1. If you run ntpd, upgrading to the latest version, which removes the
"monlist" command that is used for these attacks; alternately, disabling
the monitoring function by adding "disable monitor" to your /etc/ntp.conf
file.
2. Setting the NTP installation to act as a client only. With ntpd, that
can be done with "restrict default ignore" in /etc/ntp.conf; other daemons
should have a similar configuration option. More information on configuring
different devices can be found here:
https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html.
3. Adjusting your firewall or NTP server configuration so that it only
serves your users and does not respond to outside IP addresses.

If you don't mean to run a public NTP server, we recommend #1 and #2. If
you do mean to run a public NTP server, we recommend #1, and also that you
rate-limit responses to individual source IP addresses -- silently
discarding those that exceed a low number, such as one request per IP
address per second. Rate-limit functionality is built into many
recently-released NTP daemons, including ntpd, but needs to be enabled; it
would help with different types of attacks than this one.

Fixing open NTP servers is important; with the 1000x+ amplification factor
of NTP DRDoS attacks -- one 40-byte-long request can generate up to 46800
bytes worth of response traffic -- it only takes one machine on an
unfiltered 100 Mbps link to create a 100+ Gbps attack!

If you are an ISP, please also look at your network configuration and make
sure that you do not allow spoofed traffic (that pretends to be from
external IP addresses) to leave the network. Hosts that allow spoofed
traffic make possible this type of attack.