US-CERT has issued an advisory that warns enterprises about distributed denial of service attacks flooding networks with massive amounts of UDP traffic using publicly available network time protocol (NTP) servers.
Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists is a classic set-and-forget feature and is used generally to sync clocks between servers and computers. The protocol is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.
“This response is much bigger than the request sent making it ideal for an amplification attack,” said John Graham-Cumming of Cloudflare.
According to US-CERT, the MON_GETLIST command allows admins to query NTP servers for traffic counts. Attackers are sending this command to vulnerable NTP servers with the source address spoofed as the victim.
“Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” the US-CERT advisory says. “Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.”
To mitigate these attacks, US-CERT advises disabling the monlist or upgrade to NTP version 4.2.7, which also disables monlist.
NTP amplification attacks have been blamed for recent DDoS attacks against popular online games such as League of Legends, Battle.net and others. Ars Technica today reported that the gaming servers were hit with up to 100 Gbps of UDP traffic. Similar traffic amounts were used to take down American banks and financial institutions last year in allegedly politically motivated attacks.
“Unfortunately, the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built-in commands will send a long reply to a short request,” Graham-Cumming said. “That makes it ideal as a DDoS tool.”
Graham-Cumming added that an attacker who retrieves a list of open NTP servers, which can be located online using available Metasploit or Nmap modules that will find NTP servers that support monlist.
Graham-Cumming demonstrated an example of the type of amplification possible in such an attack. He used the MON_GETLIST command on a NTP server, sending a request packet 234 bytes long. He said the response was split across 10 packets and was 4,460 bytes long.
“That’s an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate,” Graham-Cumming said.
“This particular NTP server only had 55 addresses to tell me about. Each response packet contains 6 addresses (with one short packet at the end), so a busy server that responded with the maximum 600 addresses would send 100 packets for a total of over 48k in response to just 234 bytes. That’s an amplification factor of 206x!”