Internet Accessible NTP Monitor - ('monlist')

Problem

An Internet Accessible NTP Server, that responds to a ntpdc query, which includes the control message command 'monlist', can be abused for a Distributed Denial-of-Service (DDoS) Reflection/Amplification attack against a third party.

A DDoS Reflection/Amplification attack, based upon the exploitation of a ntpdc query, which includes the control message command 'monlist', has a Bandwidth Amplification Factor (BAF) of 556.9:1.

Background Information - Network Time Protocol

The NTP source distribution contains a background program (daemon or service) which synchronises the computer's system time to one or more external reference time sources which can be either other devices on the network, or a radio clock that is connected to the computer.

ntpdc

ntpdc is a special NTP query program, used to query the NTP daemon (ntpd) about its current state and to request changes in that state. The program can be run in interactive mode or controlled, using command line arguments. Information of the state and statistics of a NTP daemon (ntpd) are available through the ntpdc interface.

Control Message Commands

Control Message Commands are query commands, included as command line arguments in a ntpdc query, to request information from a NTP daemon (ntpd). They are read-only commands that make no modification to the configuration state of the NTP daemon (ntpd).

'monlist'

'monlist' is a control message command, included as a command line argument in a ntpdc query, to request and print the traffic counts collected and maintained by the monitoring facility of a NTP daemon (ntpd). The monitoring facility of a NTP daemon (ntpd) collects and maintains data of the Most Recently Used (MRU) hosts or clients that have communicated with the NTP daemon (ntpd). 'monlist' can display a maximum list of 600 entries.

NTP Mode 7 packets (ntpdc)

ntpdc uses NTP mode 7 packets to communicate with, and query a NTP daemon (ntpd), that permit it. Mode 7 packets are UDP packets, transmitted and received over port 123/UDP. These packets use the same structure (header, plus extension, plus optional MAC) as time synchronization messages, however the layout and semantics of the header fields are different. They are distinguished from time synchronisation packets by the Mode field, of the first octet of the NTP header, which has a value 7 (111).

NTP version 4.2.7p26

A NTP daemon (ntpd) configured with a software version prior to 4.2.7p26 will respond to a NTP Mode 7 ntpdc 'monlist' request. In version 4.2.7p26 and all subsequent versions, Mode 7 ntpdc queries have been disabled by default and the functionality of 'monlist' has been replaced by the control message command 'murlist' which uses Mode 6 UDP packets and a handshake procedure has been implemented to prevent it from being abused for DDoS Reflection/Amplification attack against a third party.

Verification

To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

To discover the version of NTP software of an Internet accessible NTP Monitor service, the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet Accessible NTP Monitor service when invoking the 'Nmap' open source network scanner utility program together with the options included in the following example.

$ sudo nmap -sU -p 123 -Pn --script ntp-info xxx.xxx.xxx.xxx

An Internet Accessible NTP Monitor service listening on port 123/UDP and configured with a ntpd software version prior to 4.2.7p26 will return information similar to that shown below:

$ sudo nmap -sU -p 123 -Pn --script ntp-info xxx.xxx.xxx.xxx

Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-12 12:02 GMT

Nmap scan report for xxx.xxx.xxx.xxx

Host is up (0.00015s latency).

PORT    STATE SERVICE

123/udp open  ntp

| ntp-info:

|   receive time stamp: 2021-11-12T12:02:21

|   version: ntpd 4.2.0-a Sat Sep  8 05:35:16 UTC 2018 (1)

|   processor: powerpc

|   system: JUNOS14.1X53-D47.6

|   leap: 0

|   stratum: 6

|   precision: -18

|   rootdelay: 23.778

|   rootdispersion: 64.680

|   peer: 47156

|   refid: xxx.xxx.xxx.xxx

|   reftime: 0xe653d4d2.a57b0e1d

|   poll: 10

|   clock: 0xe538d64d.22f9f705

|   state: 4

|   offset: -1.407

|   frequency: -0.671

|   jitter: 1.600

|_  stability: 0.086\x0D

Service Info: OS: JUNOS14.1X53-D47.6

Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds

Options

sudo      :root privileges is required for scan type.

-sU       :UDP Scan.

-p 123    :scan specified port - 123.

-Pn       :No Ping.

--script  :Run a nmap script scan.

ntp-info  :nmap script that obtains time and configuration variables from an NTP server.

To request and print the traffic count collected and maintained by the NTP monitoring facility of the Internet Accessible NTP Monitor service, configured with a ntpd software version prior to 4.2.7p26, a ntpdc query, that includes the control message command 'monlist', as a command line argument, is used

The data printed will be similar to that shown below.

$ sudo ntpdc -n -c monlist xxx.xxx.xxx.xxx

remote address          port local address     count m ver rstr avgint   lstint

===============================================================================

17.253.108.125           123 10.0.0.140            1 3 4      0      0        0

17.253.108.253          5056 10.0.0.140          168 4 4      0    585      871

44.155.254.17          42406 10.0.0.140            1 3 4      0   1704     1704

93.180.5.26            44329 10.0.0.140            1 3 4      0   3198     3198

119.84.40.54           35633 10.0.0.140            1 3 4      0   5367     5367

140.203.204.77         54444 10.0.0.140            1 3 4      0  17975    17975

145.238.203.14         39506 10.0.0.140            3 7 2      0  18039    18039

162.213.25.66          48658 10.0.0.140            1 7 2      0  24272    24272

176.31.159.65          34026 10.0.0.140            9 7 2      0  42280    42280

192.168.100.15         55462 10.0.0.140            3 7 2      0  53963    53963

193.1.185.37           37872 10.0.0.140            1 7 2      0  56020    25628

194.80.204.184         59515 10.0.0.140            2 6 2      0  58106    60331

212.82.106.33          35366 10.0.0.140            3 6 2      0  71706    71706

Special NTP query program

ntpdc    :Special NTP query program.

Options

sudo     :Elevated privileges are required.

-n       :Output all host addresses in dotted-quad numeric format rather that converting to the canonical host names.

-c       :The following argument is interpreted as an interactive format command and is added to the list of commands to be executed on the specified host.

Control Message Command

monlist  :Obtain and print traffic counts collected and maintained by the NTP monitoring facility.

Solution

Upgrade the NTP daemon (ntpd) software to version 4.2.7p26 or later.

If it is not possible to upgrade the NTP daemon (ntpd) software to the latest version, Change the configuration of the NTP daemon (ntpd) to prevent queries from the NTP query program ntpdc.

Access Control Commands can be inserted into the NTP daemon configuration file, /etc/ntp.conf to prevent queries from the NTP query programs ntpdc and ntpq

Insert the following Access Control Commands into the file /etc/ntp.conf

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery

Access Control Commands

restrict  :Restrict or control access to the NTP service.

-4        :Force DNS resolution of following host name on command line to IPv4 namespace.

-6        :Force DNS resolution of following host name on command line to IPv6 namespace.

default   :Text string, with no mask option, is used to indicate the default entry. (address 0.0.0.0, mask 0.0.0.0)

kod       :Kiss-o-death packet sent to reduce unwanted queries.

notrap    :Deny ntpdc control message protocol traps.

nomodify  :Deny ntpdc and ntpq queries which attempt to modify the state of the NTP (ntpd) server.

nopeer    :Deny unauthenticated packets which would result in mobilizing a new association.

noquery   :Deny ntpdc and ntpq queries.  Time service is not affected.

Restart the NTP service for the access control commands inserted into /etc/ntp.conf to take effect.

/etc/init.d/ntp restart

Alternatively

Disable NTP monitoring.

Insert the Miscellaneous option disable monitor into the file /etc/ntp.conf

disable monitor

Miscellaneous Options

disable  :Disable a NTP server option.

monitor  :monitoring facility.

Restart the NTP service for the Miscellaneous options inserted into /etc/ntp.conf to take effect.

/etc/init.d/ntp restart

Supplementary Information