Openly Accessible NTP Servers

Description

The Network Time Protocol (NTP) is a network protocol, used for maintaining accurate time across networks. NTP listens on port 123/UDP.

Problem

An Openly Accessible NTP server based on the implementations of the Network Time Protocol daemon (ntpd) prior to version 4.2.7p26, uses an unrestricted query configuration that can be abused for an Amplified DDoS attack against third parties. The NTP daemon monitor facility collect and maintain traffic counts of clients that have performed time synchronisation with it. Monlist is a feature within the NTP protocol that lists the data collected by the ntpd monitor facility, data that consist of the IP addresses, and statistics of the last 600 clients that have connected to the NTP server for time service. This data can be used as the amplified payload in a DDoS attack.

Background Information - Network Time Protocol

The Network Time Protocol (NTP) is one of the oldest, and most widely used protocols on the internet. It is built on the User Datagram Protocol (UDP), and the Internet Protocol (IP). NTP is not based on the principle of synchronising machines with each other. It is based on the principles of having all machines get as close as possible to the correct time - Universal Coordinated Time (UTC) which is the primary time standard by which the world regulates clocks and time. A basic NTP network is composed of a time server and clients (workstations, routers, other servers etc). The function of a time server is to provide accurate time to the clients. The individual clients run a small program as a blackground task that periodically queries the servers for a precise UTC time reference. These queries are performed at designated time intervals (15 minutes approximately) in order to maintain the required synchronisation accuracy for the network.

The basic operation of NTP is time stamping of data packets transferred between the server and the client.

NTP Timestamp operation.

1. The client stamps the time when it sends a request packet to the NTP server. (Origin timestamp)
2. The NTP server stamps the time when the client request packet is received. (Receive timestamp)
3. The NTP server stamps the time when it sends the reponse packet to the client. (Transmit timestamp)
4. The client stamps the time when the NTP response packet is received. (Destination timestamp)

An NTP packet consists of 4 timestamps. The client uses these timestamps to determine the difference between its internal time and the UTC time reference and adjust its local time to conincide with the reference. The client can also determine the network latency and apply a correction factor when it adjusts its internal time.

Whenever the NTP daemon (ntpd) starts, it checks its configuration file (/etc/ntp.conf) to determine syncronisation sources, authentication options, monitoring options, access control and other operating options. It also checks the frequency file (/etc/ntp/drift) that contains the latest estimate of clock frequency error. If specified, it will also look for a file containing the authentication keys (/etc/ntp/keys).

Example of an Amplified NTP DDoS Reflection Attack

An attacker will first conduct a scan against all targets in a network listening on port 123/UDP, looking for a vulnerable NTP server, one that has no restriction on the clients it serves and/or has an unrestricted query configuration that can be exploited.

Nmap, the open source utility for network discovery and security auditing can be used to scan for an IP address listening on port 123/UDP.

$ nmap -sU -pU:123 -Pn -n xxx.xxx.xxx.xxx
Starting Nmap 7.01 ( https://nmap.org ) at 2020-08-25 11:07 IST
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.00015s latency).
PORT    STATE SERVICE
123/udp open  ntp
MAC Address:  08:00:27:A7:E4:94 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds

nmap options
-sU  :UDP scan.
-pU:123  :port 123/UDP.
-Pn  :No Ping.
-n  :No DNS resolution.

The NTP query program, ntpq can be used to identify the version of the NTP daemon (ntpd) running on the host. ntpq uses NTP mode 6 packets to communicate with the NTP server.

$ ntpq -c "rv 0 version" xxx.xxx.xxx.xxx
version="ntpd 4.2.0-a Thu Jan 10 17:45:38 2019 (1)"

The NTP query program, ntpdc can be used to send a monlist control query to the NTP server to obtain and print the traffic counts collected and maintained by its monitor facility. ntpdc uses NTP mode 7 packets to communicate with the NTP server.

$ ntpdc -n -c monlist xxx.xxx.xxx.xxx
remote address          port local address     count m ver code avgint   lstint
===============================================================================
17.253.108.125         42962 0.0.0.0               2 6 2      0      0        0
17.253.108.253         52550 0.0.0.0               7 7 2      0    396    12386
44.155.254.17          53805 0.0.0.0               2 7 2      0   1704    36533
93.180.5.26            44329 0.0.0.0               7 7 2      0   3198   137000
119.84.40.54           35633 0.0.0.0               5 7 0      0   5367     5367
140.203.204.77         54444 0.0.0.0               3 7 2      0  23431    35367
145.238.203.14         39506 0.0.0.0               3 7 2      0  23532    23433
162.213.25.66          48658 0.0.0.0               1 7 2      0  29471    37552
176.31.159.65          34026 0.0.0.0               9 7 2      0  37532   103973
192.168.100.15         55462 0.0.0.0               3 7 2      0  53963   146873
193.1.185.37           37872 0.0.0.0               1 7 2      0  56020    25628
194.80.204.184         59515 0.0.0.0               2 6 2      0  58106    60331
212.82.106.33          35366 0.0.0.0               3 6 2      0  59699   145872

ntpdc options
-n  :Output all host addresses in dotted-quad numeric format rather that converting to the canonical host names.
-c  :The following argument is interpreted as an interactive format command and is added to the list of 
commands to be executed on the specified host.
monlist  :Obtain and print traffic counts collected and maintained by the NTP daemon (ntpd) monitor facility.

The attacker will use a legitimate host similar to this, together with other vulnerable hosts he has identified, as reflectors in an Amplified NTP DDoS attack against an unsuspecting victim.

NTP uses the User Datagram Protocol (UDP) as it's underlying transportation protocol, UDP is a connectionless protocol that uses datagrams embedded in Internet Protocol (IP) packets for communication without the need to create a session between two (2) devices and therefore does not require to undergo the handshake process. The attacker uses tools to modify the source address in the IP packet header (IP Spoofing) to make the legitimate hosts (selected to act as reflectors in the attack) think the packet is from the unsuspecting victim.

One of the most effective techniques used for DDoS attacks is amplification. This type of attack relies on the size of the response being considerably larger than the request. If an attacker can direct a large number of responses to the victim, they can do a lot of harm with few resources. There are multiple protocols with vulnerabilities that allow them to be used as accessories for amplification, e.g. DNS, SNMPv2, and NTP. NTP is particularly sought after because of the high amplification factor.

The attacker will send a monlist control query to the list of ntpd reflectors, using UDP with the forged (spoofed) IP address of the unsuspecting victim. The reflectors, in turn, reply to the forged (spoofed) IP address with the traffic counts collected and maintained by their respective monitor facilities (amplified payload). The attack volume grows as more and more reflectors continue to reply, until the victim's network is overwhelmed under the volume of unsolicited traffic in response to the monlist control queries. Such attacks usually are highly disruptive and can be difficult to mitigate.

Finally, the attacker will not launch the attack himself, instead he will uses botnets. A botnet is a number of malware infected computers spread across the world that the botnet controller can use for various purposes. The command server of a botnet is known as a "Stresser" or "Booter". The botnet controller offer his "Stresser" or "Booter" as a service, to deliver DDoS attacks, on the internet. The attacker can hire the services of a "Stresser" or "Booter" for a specified time, and for a specified fee to launch a Distributed Denial of Service (DDoS) Reflection attack against a target of choice.

Verification

To establish if a host has an openly accessible service on the Internet, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be used.

In the following examples, substitute xxx.xxx.xxx.xxx. with the IP address of the NTP server.

To check the version of the NTP daemon (ntpd) running on a Linux platform.

The following command will check the version of the NTP daemon (ntpd) included in your $PATH

$ ntpq --version

ntpq 4.2.8p4@1.3265-o Tue Jan  7 15:08:29 UTC 2020 (1).

The following two commands will check the version of the NTP daemon (ntpd) running on the current host.

$ ntpq -c "rv 0 version"

version="ntpd 4.2.0-a Thu Jan 10 17:45:38 2019 (1)"

or

$ ntpq -crv

associd=0 status=0654 leap_none, sync_local, 5 events, freq_mode,
version="ntpd 4.2.00-a Thu Jan 10 17:45:38 2019 (1) processor="amd64",
system="FreeBSDJNPR-10.3-20180911.6c98660_buil", leap=00, stratum=4,
precision=-23, rootdelay=27.202, rootdispersion=73.607, peer=27860,
refid=xxx.xxx.x.xxx,
reftime=e300b2f6.31ac50de Mon, Sep 7 2020 14:24:06.194, poll=7,
clock=e300b3dc.a47689e8 Mon, Sep 7 2020 14:27:56.642, state=4,
offset=+0.665, frequency=+5.024, jitter=0.157, stability=0.032

ntpq flags
-c  :Specifies an interactive format command.  This flag adds SubCommand to the list of commands to run on the specified hosts.
ntpq Control Message Subcommands
-rv  :Display the values of the specified peer variables of the server with the given association.

To confirm if a NTP server has an unrestricted query configuration, that will reply to a monlist control query. ntpdc, the NTP query program can be used.

ntpdc -n -c monlist xxx.xxx.xxx.xxx

remote address          port local address     count m ver code avgint   lstint
===============================================================================
17.253.108.125         42962 0.0.0.0               2 6 2      0      0        0
17.253.108.253         52550 0.0.0.0               7 7 2      0    396    12386
44.155.254.17          53805 0.0.0.0               2 7 2      0   1704    36533
93.180.5.26            44329 0.0.0.0               7 7 2      0   3198   137000
119.84.40.54           35633 0.0.0.0               5 7 0      0   5367     5367
140.203.204.77         54444 0.0.0.0               3 7 2      0  23431    35367
145.238.203.14         39506 0.0.0.0               3 7 2      0  23532    23433
162.213.25.66          48658 0.0.0.0               1 7 2      0  29471    37552
176.31.159.65          34026 0.0.0.0               9 7 2      0  37532   103973
192.168.100.15         55462 0.0.0.0               3 7 2      0  53963   146873
193.1.185.37           37872 0.0.0.0               1 7 2      0  56020    25628
194.80.204.184         59515 0.0.0.0               2 6 2      0  58106    60331
212.82.106.33          35366 0.0.0.0               3 6 2      0  59699   145872

An openly accessible NTP server, with an unrestricted query configuration will respond to the monlist control query with a list of clients that have connected to the NTP server for time service.

If the monitor facility of an NTP server is currently empty, it will instead return:

***Server reports data not found

If the NTP server does not have an unrestricted query configuration, the request will timeout:

xxx.xxx.xxx.xxx:  timed out, nothing received
***Request timed out

Solution

Upgrade the ntpd service software to version 4.2.7p26 or later.
(Version 4.2.8p15 was released on 23.06.2020)

If it is not possible to upgrade the ntpd service software to the latest version, disable status query in the configuration of the NTP server.

Restrict access to the NTP daemon (ntpd) service to trusted clients.

NTP Server Configuration - ntp.conf

To disable status query in the configuration of the NTP server - Insert the following lines in the server's ntp.conf file. (default location /etc/ntp.conf)

restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

Description of the options and flags used.

restrict default - with no mask option, modifies both IPv4 and IPv6 default entries.
-4 - required for an IPv4 addresses.
-6 - required for an IPv6 address.
kod - Send (kiss-o-death) packets if client exceed rate limits.
notrap - Deny the trap subset of the ntpdc control message protocol.
nomodify - Deny attempts to modify the state of the server via ntpq or ntpdc queries.
nopeer - Prevent establishing new peer associations unless authenticated.
noquery - deny ntpq and ntpdc queries.  time service is not affected.
limited - Deny time service if the packet violates the rate limits established by the discard command.

To restrict access to the ntpd service to trusted clients, Insert the following lines to the server's ntp.conf file. (default location /etc/ntp.conf)

Replace xxx.xxx.xxx.xxx. with the IP address of the specific host or LAN you wish to insert. Change the subnet mask as required.

restrict default
restrict localhost
restrict xxx.xxx.xxx.xxx
restrict xxx.xxx.xxx.xxx netmask 255.255.0.0
restrict xxx.xxx.xxx.xxx netmask 255.255.255.0 nomodify notrap nopeer

Description of options and flags used.

restrict default - Prevents access to everything not explicitly allowed.
restrict localhost - Allow unrestricted access from the localhost
restrict xxx.xxx.xxx.xxx - Allow unrestricted access by a specific host
restrict xxx.xxx.xxx.xxx netmask 255.255.255.000
- Allow unrestricted access to hosts from the xxx.xxx.xxx.xxx netmask 255.255.255.000 network.
restrict xxx.xxx.xxx.xxx netmask 255.255.255.000 nomodify notrap nopeer
- Allow unrestricted access to hosts from the xxx.xxx.xxx.xxx netmask 255.255.255.000 network to query the time and statistics but noting more.

Note: For any changes made to take effect, the ntpd service has to be restarted.

Ingress & Egress Filtering

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link.
Ingress & Engress Filtering

Additional Information

Introduction to NTP
What version of ntpd am I really running
NTP can be abused to amplify denial-of-service attack traffic.
Preventing NTP Reflection Attacks.
File ntp-monlist.
How to detect NTP Amplification DoS Attacks.
NTP reflection DDoS attacks.
CISCO - Network Time Protocol: Best Practices White Paper.
Understanding and mitigating NTP-based DDoS attacks.