Internet Accessible NTP Version ('readvar')

Description

The Network Time Protocol (NTP) is a protocol, used to synchronise the system time of a computer in a network.

NTP listens on port 123/UDP.

Problem

An Internet Accessible NTP Server, that responds to a ntpq query, which includes the control message command 'readvar', can be abused for a Distributed Denial-of-Service (DDoS) Reflection /Amplification attack against a third party.

A DDoS Reflection/Amplification attack, based upon the exploitation of a ntpq query, that includes the control message command 'readvar', has a Bandwidth Amplification Factor (BAF) of 30.0:1.

Background Information - Network Time Protocol

The NTP source distribution contains a background program (daemon or service) which synchronises the computer's system time to one or more external reference time sources which can be either other devices on the network, or a radio clock that is connected to the computer.

ntpq

ntpq is a standard NTP query program, used to monitor the operations of the NTP daemon (ntpd) and determine performance. The program can be run in interactive mode or controlled using command line arguments.

Control Message Commands

Control Message Commands are query commands, included as command line arguments in a ntpq query, to request information from a NTP daemon (ntpd). They are read-only commands that make no modification to the configuration state of the NTP daemon (ntpd).

readvar

readvar is a control message command, included as a command line argument in a ntpq query, that request a list of configuration system variables from a NTP daemon (ntpd). Multiple system variables are specified separated by a comma.

List of System Variables - 'readvar'

The following system variables appear in the readvar (rv) billboard.
Note: Not all variables are displayed in some configurations.

Variable	Description
associd	association ID
status	peer status word (Code)
version	NTP software version and build time
processor	hardware platform and version
system	operating system and version
leap	leap warning indicator (0-3)
stratum	stratum (1-15)
precision	precision (log2 S)
rootdelay	Total roundtrip delay to the primary reference clock
rootdisp	Total dispersion to the primary reference clock
peer	system peer association ID
tc	time constant and poll exponent (log2 S) (3-17)
mintc	Minimum time constant (Log2 S) (3-10)
clock	Date and time of day
refid	reference ID or kiss codeTotal roundtrip delay to the primary reference clock
reftime	reference time
offset	offset of server relative to this host
sys_jitter	combined system jitter
frequency	frequency offset (PPM) relative to hardware clock
clk_wander	clock frequency wander (PPM)
clk_jitter	clock jitter
tai	TAI-UTC offset(s)
leapsec	NTP seconds when the next leap second is/was inserted
expire	NTP seconds when the NIST leapsonds file expires

NTP Mode 6 packets (ntpq)

ntpq uses NTP mode 6 packets to communicate with, and query a NTP daemon (ntpd), that permit it. Mode 6 packets are UDP packets, transmitted and received over port 123/UDP. These packets use the same structure (header, plus extension, plus optional MAC) as time synchronization messages, however the layout and semantics of the header fields are different. They are distinguished from time synchronization packets by the Mode field, of the first octet of the NTP header, which has a value 6 (110).

Verification

To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.

To discover the ntpd software version of an Internet accessible NTP Version service, the 'Nmap' open source network scanner utility program can be utilised.

Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.

Insert the IP address of the host you wish to check for an Internet Accessible NTP Version service when invoking the 'Nmap' open source network scanner utility program together with the options included in the following example.

$ sudo nmap -sU -p 123 -Pn --script ntp-info xxx.xxx.xxx.xxx

An Internet Accessible NTP Version service listening on port 123/UDP and configured with a ntpd software version of 4.2.7p26 or greater will return information similar to that shown below:

$ sudo nmap -sU -p 123 -Pn --script ntp-info xxx.xxx.xxx.xxx

Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-04 03:02 GMT

Nmap scan report for xxx.xxx.xxx.xxx

Host is up (0.00015s latency).

PORT    STATE SERVICE

123/udp open  ntp

| ntp-info:

|   receive time stamp: 2021-12-04T12:03:02

|   version: ntpd 4.2.8-a Sat Dec  4 03:42:26 UTC 2018 (1)

|   processor: powerpc

|   system: JUNOS14.1X53-D47.6

|   leap: 0

|   stratum: 6

|   precision: -18

|   rootdelay: 23.778

|   rootdispersion: 64.680

|   peer: 47156

|   refid: xxx.xxx.xxx.xxx

|   reftime: 0xe538d4d2.a78b0e1d

|   poll: 10

|   clock: 0xe538d64d.22f9f705

|   state: 4

|   offset: -1.407

|   frequency: -0.671

|   jitter: 1.600

|_  stability: 0.086\x0D

Service Info: OS: JUNOS14.1X53-D47.6

Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds

Options

sudo      :root privileges is required for scan type.

-sU       :UDP Scan.

-p 123    :scan specified port - 123.

-Pn       :No Ping.

--script  :Run a nmap script scan.

ntp-info  :nmap script that obtains time and configuration variables from an NTP server.

To request and print a list of configuration system variables from a NTP daemon (ntpd), a ntpq query, that includes the control message command 'readvar' (rv), as a command line argument, is used.

An Internet Accessible NTP Version service listening on port 123/UDP and configured with a ntpd software version of 4.2.7p26 or greater will return information similar to that shown below:

$ ntpq -c rv xxx.xxx.xxx.xxx

associd=0 status=062c leap_none, sync_ntp, 2 events, clock_step,

version="4", processor="unknown", system="UNIX", leap=00, stratum=2,

precision=-10, rootdelay=0.997, rootdisp=41.357, refid=80.233.123.170,

reftime=e537adb1.6e147c10  Thu, Nov 11 2021 14:56:49.430,

clock=e537b64c.63d70b50  Thu, Nov 11 2021 15:33:32.390, peer=18988,

tc=10, mintc=3, offset=-6.320, frequency=-54.039, sys_jitter=0.976,

clk_jitter=3.681, clk_wander=0.001

Standard NTP query program

ntpq   :Standard NTP query program.

Options

sudo   :Elevated privileges are required to access raw sockets.

-c     :Following argument is interpreted as an interactive format.

-rv    :Display the specified variables.

Solution

To prevent queries from the standard NTP query program ntpq.

Access Control Commands can be inserted into the NTP daemon (ntpd) configuration file, /etc/ntp.conf to prevent queries from NTP query programs ntpq and ntpdc

Insert the following Access Control Commands into the file /etc/ntp.conf

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery

Access Control Commands

restrict  :Restrict or control access to the NTP service.

-4        :Force DNS resolution of following host name on command line to IPv4 namespace.

-6        :Force DNS resolution of following host name on command line to IPv6 namespace.

default   :Text string, with no mask option, is used to indicate the default entry. (address 0.0.0.0, mask 0.0.0.0)

kod       :Kiss-o-death packet sent to reduce unwanted queries.

notrap    :Deny ntpdc control message protocol traps.

nomodify  :Deny ntpq and ntpdc queries which attempt to modify the state of the NTP (ntpd) server.

nopeer    :Deny unauthenticated packets which would result in mobilizing a new association.

noquery   :Deny ntpq and ntpdc queries.  Time service is not affected.

Restart the NTP service for the access control commands inserted into the configuration file /etc/ntp.conf to take effect.

/etc/init.d/ntp restart

Alternatively

Access Control Commands can be inserted into the NTP daemon (ntpd) configuration file, /etc/ntp.conf to ignore all packets, including ntpq and ntpdc queries.

In addition, a Miscellaneous option can be also be inserted into the NTP daemon (ntpd) configuration file, /etc/ntp.conf that will prevent the NTP daemon (ntpd) from listening for a message from a broadcast or multicast server.

Insert the following Access Control Commands and Miscellaneous options in the configuration file /etc/ntp.conf

restrict -4 default ignore

restrict -6 default ignore

disable bclient

Access Control Commands

restrict  :Restrict general access to the NTP service.

-4        :Force DNS resolution of following host name on command line to IPv4 namespace.

-6        :Force DNS resolution of following host name on command line to IPv6 namespace.

default   :Text string, with no mask option, is used to indicate the default entry.

ignore    :Ignore all packets - including ntpq and ntpdc queries.

disable   :Disable a server option.

Miscellaneous Options

disable   :Disable a server option.

bclient   :Prevent the server from listening for a message from a broadcast or multicast server.

Restart the NTP service for the access control commands and miscellaneous options inserted in /etc/ntp.conf to take effect.

/etc/init.d/ntp restart

Supplementary Information

Ingress & Egress Filtering

Filter	Description
Ingress Filtering	Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network.
Egress Filtering	Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network. Port used for remote syslog capture

The implementation of best practice in relation to Ingress filtering limits the impact of a Denial of Service (DoS) attack on one's own network while the implementation of best practice in relation to Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations. Additional information on Ingress & Egress Filtering can be found at the following link - Ingress & Engress Filtering

UDP Based Denial-of-Service (DoS) Attack

The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a number of properties that makes it susceptible to exploitation for DoS attacks against third parties. Additional information on the components and techniques deployed in an UDP based DoS attack can be found at the following link - UDP Based Denial-of-Service (DoS) Attack

Additional Information

RFC1305 - NTP Version 3: Specification, Implementation and Analysis
RFC5905 - NTP Version 4: Protocol and Algorithms Specification
Shadowserver - Open NTP Version (Mode 6) Scanning Project
IETF - Network Time Protocol Best Current Practices
ntpq - standard NTP query program
FreeBSD Manual Pages - ntp.conf
NTPD Access Restrictions
NCSAM - Understanding UDP Amplification Vulnerabilities Through Rapid7 Research
Carnegie Mellon University - NTP can be abused to amplify DoS attack traffic
Nmap.org - File ntp-monlist
CVE-2013-5211
Professor David L. Mills - University of Delaware - Site Map
Network Time Protocol (NTP)