The US Internet securty organisation CERT has published a warning of increasing DRDoS (Distributed Reflection and amplification DDoS) attacks using Internet Service Providers’ NTP (Network Time Protocol) servers (http://www.kb.cert.org/vuls/id/348126). According to their analysis NTP is the second most widely used vehicle for DDoS attacks (after DNS). In plain language that means, if I want to take a victim web site down, I can send a spoofed message to a vulnerable ISP NTP server and get it to send a response that is several thousand times longer to my intended victim! That is amplification in action.
A request could look like this:
ntpq -c rv [ip]
The payload is 12 bytes which is the smallest payload that will illicit a mode 6 response. The response from a delinquent ISP could be this:
associd=0 status=06f4 leap_none, sync_ntp, 15 events, freq_mode, version=”ntpd firstname.lastname@example.org Tue Dec 3 11:32:13 UTC 2013 (1)”, processor=”x86_64″, system=”Linux/2.6.18-371.6.1.el5″, leap=00,stratum=2, precision=-20, rootdelay=0.211, rootdispersion=133.057, peer=39747, refid=xxx.xxx.xxx.xxx, reftime=d6e093df.b073026f Fri, Mar 28 2014 19:35:43.689, poll=10, clock=d6e09aff.0bc37dfd Fri, Mar 28 2014 20:06:07.045, state=4, offset=-17.031, frequency=-0.571, jitter=5.223, noise=19.409, stability=0.013, tai=0
That is only a 34 times amplification. Crafting the request differently could boost attack volumes by up to 5500 times according to CERT. The response shows that this ISP last updated its NTP software in Dec 2013 to version 4.2.2p1. The CERT recommendation is that NTP server should at least be using version 4.2.7p26.
So, how widespread is the problem? The Shadowserver Foundation performs on-going monitoring of the problem – and at present, it has discovered 4.7 million vulnerable NTP servers across the globe (https://ntpscan.shadowserver.org). So this ISP is part of a very large delinquent group of ISPs. The Shadowserver monitoring activity also clearly shows that the problem is most severe in the US followed by Europe, Japan, South Korea, Russia and China in that order.
The global map from Shadowserver.org shows the distribution of vulnerable NTP servers – yellow shows the highest density.
Responsibility for Internet safety is clearly a shared responsibility involving all user groups, which means that we as users need to keep our service providers on their toes, and Shadowserver enshrines this principle. It is a volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and electronic fraud. It aims to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers and the spread of malware. In this respect, I would like to ‘amplify’ their message.