Public ntp-server and reflection-attacks

Asked by 8 months ago
Hi. We have strong reflection-attacks on our public timeserver ("ntpd 4.2.6p5"). The strange behavior is the server received one packet and sends 100 packets to the target. Incoming packet: ----- begin ----- Network Time Protocol (NTP Version 2, private) Flags: 0x17 0... .... = Response bit: Request (0) .0.. .... = More bit: 0 ..01 0... = Version number: NTP Version 2 (2) .... .111 = Mode: reserved for private use (7) Auth, sequence: 0 0... .... = Auth bit: 0 .000 0000 = Sequence number: 0 Implementation: XNTPD (3) Request code: MON_GETLIST_1 (42) ----- end ----- First outgoing packet: ----- begin ----- Network Time Protocol (NTP Version 2, private) Flags: 0xd7 1... .... = Response bit: Response (1) .1.. .... = More bit: 1 ..01 0... = Version number: NTP Version 2 (2) .... .111 = Mode: reserved for private use (7) Auth, sequence: 0 0... .... = Auth bit: 0 .000 0000 = Sequence number: 0 Implementation: XNTPD (3) Request code: MON_GETLIST_1 (42) ----- end ----- Second outgoing packet: ----- begin ----- Network Time Protocol (NTP Version 2, private) Flags: 0xd7 1... .... = Response bit: Response (1) .1.. .... = More bit: 1 ..01 0... = Version number: NTP Version 2 (2) .... .111 = Mode: reserved for private use (7) Auth, sequence: 1 0... .... = Auth bit: 0 .000 0001 = Sequence number: 1 Implementation: XNTPD (3) Request code: MON_GETLIST_1 (42) ----- end ----- [...] Last outgoing packet: ----- begin ----- Network Time Protocol (NTP Version 2, private) Flags: 0x97 1... .... = Response bit: Response (1) .0.. .... = More bit: 0 ..01 0... = Version number: NTP Version 2 (2) .... .111 = Mode: reserved for private use (7) Auth, sequence: 99 0... .... = Auth bit: 0 .110 0011 = Sequence number: 99 Implementation: XNTPD (3) Request code: MON_GETLIST_1 (42) ----- end ----- This means, the attacker sends _one_ packet and gets _100_ packets to his target. How can I disable this behavior of ntpd?

Your Answer

Name:
Reply:

All Answers

Answer by 8 months ago
Yes, this is becoming increasingly common, and everyone operating NTP servers (not just those that are intended to be public) will need to take steps to ensure that they are not open to this sort of attack. The attacker is asking for something (usually the equivalent of 'ntpdc -c monlist') that causes your server to respond with lots of data. [snip] There are several ways, but having a basic 'restrict' statement in your config like this will help mitigate this attack: restrict default noquery nomodify notrap nopeer restrict -6 default noquery nomodify notrap nopeer I believe the key command is 'noquery' which means that the server can't be queried for information (it does NOT affect the server's ability to respond to time requests). However, the other options will also protect your public time server. (I am also interested in how others are locking down public NTP servers.) michael
Answer by 8 months ago
We got hit by the same thing today, right around noon. I don't have detailed packet captures like Rudolph (thanks for that, BTW) but my 100Mbps pipe was completely filled from these requests. Shutting down NTP on my two public servers stopped it. I've since implemented Michael's suggestion and I will be re-opening port 123 in the firewall... maybe later... Ian
Answer by 8 months ago
That's it. To simple. RTFM! :-( I have deleted "noquery" at the time of installation. I thought it means that no queries will be answered. After using "noquery", ntpd do not more send answers to such requests. Thank you very much.
Answer by 8 months ago
Now that I've had some quality time with Wireshark, I can confirm that I'm seeing exactly what Rudolph was seeing. Since implementing Michael's suggesting, I'm still getting the packets, but not responding to them. That will do for now... Ian
Answer by 8 months ago
Quoted message by Michael Sinatra 8 months ago
Yes, this is becoming increasingly common, and everyone operating NTP servers (not just those that are intended to be public) will need to take steps to ensure that they are not open to this sort of attack. The attacker is asking for something (usually the equivalent of 'ntpdc -c monlist') that causes your server to respond with lots of data. [snip] There are several ways, but having a basic 'restrict' statement in your config like this will help mitigate this attack: restrict default noquery nomodify notrap nopeer restrict -6 default noquery nomodify notrap nopeer I believe the key command is 'noquery' which means that the server can't be queried for information (it does NOT affect the server's ability to respond to time requests). However, the other options will also protect your public time server. (I am also interested in how others are locking down public NTP servers.) michael
The access control directives mentioned above are documented at http://doc.ntp.org/4.2.6p5/accopt.html (stable release) and at http://www.eecis.udel.edu/~mills/ntp/html/accopt.html (development release). [snip] You want to take a look at the Support.AccessRestrictions topic in our community supported documentation. It is at http://support.ntp.org/Support/AccessRestrictions
Answer by 7 months ago
Hash: SHA1 Hello, Wouldn't noquery or nopeer also prevent your timeserver from being used by other timeservers? Or at least limit usability? LP, Jure
Answer by 7 months ago
Quoted message by Jure Sah 7 months ago
Hash: SHA1 Hello, Wouldn't noquery or nopeer also prevent your timeserver from being used by other timeservers? Or at least limit usability? LP, Jure
Not really. It limits the possibilities of debugging from remote (e.g. to look what servers you are synced to), but it does not limit the use as a regular time server.
Answer by 7 months ago
Quoted message by Jure Sah 7 months ago
Hash: SHA1 Hello, Wouldn't noquery or nopeer also prevent your timeserver from being used by other timeservers? Or at least limit usability? LP, Jure
Hash: SHA1 Hi, I would just like to understand this... For noquery I understand, but for "nopeer"? The manual page states: Doesn't this always happen when a new ntp server somewhere on the internet chooses to use your NTP server as a peer? LP, Jure
Answer by 7 months ago
Quoted message by Jure Sah 7 months ago
Hash: SHA1 Hi, I would just like to understand this... For noquery I understand, but for "nopeer"? The manual page states: Doesn't this always happen when a new ntp server somewhere on the internet chooses to use your NTP server as a peer? LP, Jure
A peer is a two-way server-server link. Not a client using your server, but a server that syncs time with you and vice-versa. You don't want that. NTP servers that are peers should be only added upon mutual agreement. A normal client of the pool is only a client of your server, not a peer. (i.e. they sync time to you, but you don't get time sync from them)
Answer by 7 months ago
Quoted message by Jure Sah 7 months ago
Hash: SHA1 Hi, I would just like to understand this... For noquery I understand, but for "nopeer"? The manual page states: Doesn't this always happen when a new ntp server somewhere on the internet chooses to use your NTP server as a peer? LP, Jure
The word "peer" has multiple meanings in NTP. We colloquially refer to a remote ntpd which is used as a time source as a "peer". Witness the 'ntpq -p' peer billboard. The "peer" configuration directive can be used in ntp.conf to establish a bidirectional association between two ntpds (i.e. an assocation where both nodes poll the other node for the time). 'nopeer' blocks these associations. By way of comparision ... The "server" configuration directive is used to establish a unidirectional association between two ntpds (i.e. only one node polls the other node). These associations are not blocked by 'nopeer'.
Answer by 7 months ago
Quoted message by Jure Sah 7 months ago
Hash: SHA1 Hi, I would just like to understand this... For noquery I understand, but for "nopeer"? The manual page states: Doesn't this always happen when a new ntp server somewhere on the internet chooses to use your NTP server as a peer? LP, Jure
Hash: SHA1 So in other words, a lower-stratum NTP server which uses my NTP server as it's source of accurate time, is a client and not a peer? LP, Jure
Answer by 7 months ago
Quoted message by Jure Sah 7 months ago
Hash: SHA1 So in other words, a lower-stratum NTP server which uses my NTP server as it's source of accurate time, is a client and not a peer? LP, Jure
It is a higher-stratum server. But indeed it is only a client, not a peer. When using ntpd, a "server" line in the config specifies you as a server and the system where that config is used is a client. This is allowed even when "nopeer" is configured in your ntpd. A "peer" line (instead of server) can be used to setup a bidirectional sync to another server that should have a corresponding "peer" line in its ntp.conf as well. This is called "symmetric-active". For this to work, a restrict line for that address without "nopeer" is required. Instead, you can just use "server" at each end and both systems will be client of the other system. In my experience, this usually works better anyway.