NTP DoS Attack?

[tuaris]

Today I noticed a high amount of outbound bandwidth and after a few hours of trying to track it down, it looks like it was being caused by my NTP server on my FreeBSD box. A tcpdump revealed the following:

18:51:51.708284 IP (tos 0x0, ttl 64, id 5179, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 27 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 9.866180, Reference-ID: 0.3.94.202
          Reference Timestamp:  0.000000001
          Originator Timestamp: 3425369346.752563534 (2008/07/18 07:29:06)
          Receive Timestamp:    1.720032155 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +869597950.967468619
            Originator - Transmit Timestamp: +869597949.247436463
18:51:51.708318 IP (tos 0x0, ttl 64, id 5180, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 28 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.000000, Reference-ID: 0.11.217.223
          Reference Timestamp:  0.000000000
          Originator Timestamp: 1191617992.752563534 (1937/10/05 15:59:52)
          Receive Timestamp:    1.699234426 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  -1191617991.053329106
            Originator - Transmit Timestamp: -1191617992.752563536
18:51:51.708352 IP (tos 0x0, ttl 64, id 5181, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 29 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.000030, Reference-ID: 0.27.148.169
          Reference Timestamp:  0.000000000
          Originator Timestamp: 3232235522.752563534 (2002/06/04 23:12:02)
          Receive Timestamp:    1.001877010 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +1062731774.249313473
            Originator - Transmit Timestamp: +1062731773.247436463
18:51:51.708385 IP (tos 0x0, ttl 64, id 5182, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 30 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.094879, Reference-ID: 0.35.104.97
          Reference Timestamp:  0.000002965
          Originator Timestamp: 3325715693.752563534 (2005/05/21 21:54:53)
          Receive Timestamp:    1.001877070 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +969251603.249313533
            Originator - Transmit Timestamp: +969251602.247436463
18:51:51.708419 IP (tos 0x0, ttl 64, id 5183, offset 0, flags [none], proto UDP (17), length 396)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 368
        Reserved, Leap indicator: -1s (128), Stratum 31 (reserved), poll 3s, precision 42
        Root Delay: 5.001098, Root dispersion: 1.317703, Reference-ID: 0.99.52.36
          Reference Timestamp:  0.000000001
          Originator Timestamp: 1165526542.752563534 (1936/12/07 16:22:22)
          Receive Timestamp:    1.860595882 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  -1165526540.891967654
            Originator - Transmit Timestamp: -1165526542.752563536

I turned off the ntpd server and the traffic stopped. I had port 123 UDP forwarded on the firewall. I had set that up years ago and I don't believe I need it? I have now turned that off.

Is it possible to do a DoS attack using NTP? That would be new to me.

 

[tuaris]

Even with the port forward turned off I am still seeing a lot of NTP traffic:

19:02:10.149657 IP (tos 0x0, ttl 64, id 13019, offset 0, flags [none], proto UDP (17), length 324)
    192.168.0.248.123 > 108.251.139.46.80: NTPv2, length 296
        Reserved, Leap indicator: -1s (128), Stratum 1 (primary reference), poll 3s, precision 42
        Root Delay: 4.001098, Root dispersion: 0.000030, Reference-ID: ^@^@^@^M
          Reference Timestamp:  0.000000002
          Originator Timestamp: 3638870068.752563534 (2015/04/24 09:14:28)
          Receive Timestamp:    1.001877070 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +656097228.249313533
            Originator - Transmit Timestamp: +656097227.247436463

 

[worldi]

I turned off the ntpd server

Excellent idea! Have you googled "ntp ddos" recently?

 

[scottro]

One quick fix is to install openntpd and change your /etc/rc.conf entry from ntpd_enable to openntpd_enable.

Older versions of ntpd have a monlist command that is being used for many of these attacks

 

[nanotek]

Today I noticed a high amount of outbound bandwidth and after a few hours of trying to track it down, it looks like it was being caused by my NTP server on my FreeBSD box. A tcpdump revealed the following:

18:51:51.708284 IP (tos 0x0, ttl 64, id 5179, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 27 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 9.866180, Reference-ID: 0.3.94.202
          Reference Timestamp:  0.000000001
          Originator Timestamp: 3425369346.752563534 (2008/07/18 07:29:06)
          Receive Timestamp:    1.720032155 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +869597950.967468619
            Originator - Transmit Timestamp: +869597949.247436463
18:51:51.708318 IP (tos 0x0, ttl 64, id 5180, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 28 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.000000, Reference-ID: 0.11.217.223
          Reference Timestamp:  0.000000000
          Originator Timestamp: 1191617992.752563534 (1937/10/05 15:59:52)
          Receive Timestamp:    1.699234426 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  -1191617991.053329106
            Originator - Transmit Timestamp: -1191617992.752563536
18:51:51.708352 IP (tos 0x0, ttl 64, id 5181, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 29 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.000030, Reference-ID: 0.27.148.169
          Reference Timestamp:  0.000000000
          Originator Timestamp: 3232235522.752563534 (2002/06/04 23:12:02)
          Receive Timestamp:    1.001877010 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +1062731774.249313473
            Originator - Transmit Timestamp: +1062731773.247436463
18:51:51.708385 IP (tos 0x0, ttl 64, id 5182, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 30 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.094879, Reference-ID: 0.35.104.97
          Reference Timestamp:  0.000002965
          Originator Timestamp: 3325715693.752563534 (2005/05/21 21:54:53)
          Receive Timestamp:    1.001877070 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +969251603.249313533
            Originator - Transmit Timestamp: +969251602.247436463
18:51:51.708419 IP (tos 0x0, ttl 64, id 5183, offset 0, flags [none], proto UDP (17), length 396)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 368
        Reserved, Leap indicator: -1s (128), Stratum 31 (reserved), poll 3s, precision 42
        Root Delay: 5.001098, Root dispersion: 1.317703, Reference-ID: 0.99.52.36
          Reference Timestamp:  0.000000001
          Originator Timestamp: 1165526542.752563534 (1936/12/07 16:22:22)
          Receive Timestamp:    1.860595882 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  -1165526540.891967654
            Originator - Transmit Timestamp: -1165526542.752563536

I turned off the ntpd server and the traffic stopped. I had port 123 UDP forwarded on the firewall. I had set that up years ago and I don't believe I need it? I have now turned that off.

Is it possible to do a DoS attack using NTP? That would be new to me.

It's actually been popular lately. freebsd-update should patch it (if you're running a supported version). Alternatively, see how to patch it here: http://bsdbox.co/2014/01/18/ntp-drdos-a ... on-attack/

 

[Kitche]

Yup. It's an NTP reflection attack. Make sure you're up to date.

 

[fonz]

My ISP blocked my home connection yesterday because of the same thing. Please read this security advisory. It contains a number of solutions.

Tip of the day: to test whether you're still vulnerable, try ntpdc -n -c monlist $IP and ntpq -c rv $IP from another machine (substitute the (external) IP address of your server for $IP). If these give other output than an error message, you're still vulnerable.

 

[wblock@]

There was a security advisory about this nearly a month ago. If you have not subscribed to the freebsd-security-notifications mailing list, now would be a good time.

 

[fonz]

If you have not subscribed to the freebsd-security-notifications mailing list, now would be a good time.

Especially since the SAs no longer automagically [sic] appear on this forum

 

[manas]

I was informed by my host at transip.eu that my VPS running FreeBSD 9.1-RELEASE was participating in a NTP DOS attack. I had enabled ntpd from the installation menu that asks which services I would like to enable, mistaking it for ntpdate. So the NTP daemon was listening on the default port with all the default settings as I had never looked at the configuration file and someone must have found out that it supported the monlist command. This person then spoofed traffic and used my bandwidth to attack someone else, which is not nice at all.

I have since disabled ntpd as I have no need for it and enabled ntpdate instead, which was what I originally required. (I have also run freebsd-update on the VPS, bringing it up to date.)

 

[tingo]

If these give other output than an error message, you're still vulnerable.

And if one or both error messages are a timeout, you might still be vulnerable. If you suspect that your ntpd is under attack, it is easy to find out: # service stop ntpd on the suspect machine, and the Internet traffic should drop in a way that you will notice. The load average might also drop, depending on what else is running on your machine. (Yes - I found out this "the hard way". Luckily I found out before my ISP or someone else noticed.)

 

[Lateralus]

ntpdc

[Merged into existing thread. -- mod.]

Hello world!

This is my first thread. I am a newbie at Freebsd FreeBSD. Recently I have been DDoSed by NTP reflection attacks and I upgraded my NTP to 4.2.7. Vulnerable commands such as monlist have been removed. But I still get attacks. I also noticed that the ntpdc monlist command still works and I was wondering how I can remove ntpdc. I don't know which is the port file of ntpdc. Also the ntpdc --version command shows me 4.2.4. Here is a one-line example from the DDoS report that my hosting company gave me.

2014.02.16 20:46:58 UDP: **.***.**.**:123 -> *.***.***.***:**** flags: 0x10 size: 486

 

[fonz]

Re: ntpdc

There have been issues recently with (the base system's) NTP. This thread discusses that as well. Exactly which version of FreeBSD are you running?

 

[Lateralus]

Re: ntpdc

Hi @fonz thanks for your response and your corrections, sorry for posting at a wrong forum please move it to the right forum. I am running on FreeBSD 10.0. I have tried removing ntpd but still ntpdc commands work. nptdc is located in /usr/sbin/. Do you have any idea what I can do to remove it? I am having serious problems because my server gets null routed by my hoster for many hours each time this attack happens.

 

[kpa]

Re: ntpdc

Do you need to expose the ntpd(8) service to the Internet? If you aren't exposing it to the Internet then I don't understand what removing the ntpd binary would help. Also you have to understand that the ntpdc tool is for detecting the vulnerability (in other words it's a diagnostic tool), removing it won't help anything.

Did you actually stop and disable the ntpd service before you tried anything else?

 

[SirDice]

Re: ntpdc

The NTP issue was fixed before 10.0-RELEASE came out. Yours shouldn't be vulnerable.

http://www.freebsd.org/security/advisor ... 2.ntpd.asc

 

[kpa]

Re: ntpdc

So the OP is actually the DDoS victim and not a participant? If he gets "nullrouted" (whatever that means?) by his ISP for being a victim it's an unbelievably stupid action by them.

 

[SirDice]

Re: ntpdc

So the OP is actually the DDoS victim and not a participant?

That's very much a possibility.

If he gets "nullrouted" (whatever that means?)

Blackhole filtering is a more common term I believe. It simply means his packets are sent to the bit-bucket, effectively cutting him off.

http://en.wikipedia.org/wiki/Null_route

by his ISP for being a victim it's an unbelievably stupid action by them.

Most ISP helpdesk employees do not have a very good understanding of TCP/IP.

 

[Lateralus]

Re: ntpdc

So by having FreeBSD 10.0-RELEASE am I supposed to be secure from all the known vulnerabilities? Or do I have to upgrade my packages too? Also I have found another command that works ntpq monlist is this supposed to be a diagnostic tool too?

 

[fonz]

Re: ntpdc

So by having FreeBSD 10.0-RELEASE am I supposed to be secure from all the known vulnerabilities?

You could always do a freebsd-update fetch. If the list of files that will be changed includes anything ntp-related, you'll probably want to follow up with freebsd-update install (or upgrade from source, if you like).

Or do I have to upgrade my packages too?

Since ntpd is in the base system, packages have nothing to do with it.

Also I have found another command that works ntpq monlist is this supposed to be a diagnostic tool too?

ntpq(8) is indeed sort of a diagnostic/monitoring tool. Whether its output is ok or indicative of a problem depends on the exact command you issued.

 

[wblock@]

Re: ntpdc

The latest version of /etc/ntp.conf disables the insecure commands: http://svnweb.freebsd.org/base/head/etc/ntp.conf?revision=259973&view=markup.