Although some people might take this tool and a list of NTP servers and use it to generate a DDoS against a site or service, it's worth seeing just how simple these attacks are by examining this tool.
They are trivial to perform and the solution, BCP38, needs to be rolled out.
If its so trivial why stress about me releasing it? I figured out how to write the attack from rfcs, wireshark and reports about attacks in early January. Also you can only launch an attack from somewhere that doesn't drop invalid udp packets (windows machines post XPSP2 and many consumer level ISPs) so it has skid protection naturally. To attack with this effectively someone could spawn a AWS instances id imagine.
Imagine my surprise as I was enjoying my cereal this morning and saw this on HN.
Trivial for us doesn't mean trivial for everybody.
More specifically not really trivial for people who might use it irresponsibly because they don't understand the circumstances but hey it's just so easy.
I'm of the philosophy that there needs to be a barrier for entry sometimes.
I'm unsure what you're hoping to accomplish by releasing this?
Also, you (or whoever 'DaRkReD' is, referenced in the script comments), released this on 01-22-2014 to hackforums.com. Personally, I find arming the script kiddies to be inexcusable behavior.
From the hackforums post:
> NTP has a feature called monlist which lists recent clients. Asking for the monlist takes about 90 bytes, the monlist is about 1640 bytes and since NTP is UDP we can spoof the IP origin and those 1640 bytes will go to your target of choice. As a result we have an 18x amplification attack so for every 1 byte you get sent you get 18 bytes sent to the target your home internet can now DOS 18x faster!
AWS, along with other cloud providers such as Rackspace or Digital Ocean have specific detection techniques for DDoS from their servers, in order to maintain legal and reasonable use of their resources.
Also, that's not very responsible to release this script on HackForums, the home of every script kiddie around Internet.
No, what this is exposing is a threat like the DNS DDoS amplification. He sends NTP servers small packets, spoofing the sender address (UDP), and the server sends big response to the target (the spoofed sender address).
This allows to send a much bigger DDoS from a less powerful uplink.
The target can't just firewall a port, as it does not rely on NTP being running on the target, but on some other unprotected machines.
On the plus side, I would imagine there are relatively limited number of NTP servers (at least compared to DNS when DDoS amplification attacks first caught on)
You would wrong. Dedicated NTP servers yes, but there are things like routers, IPMI controllers, and firewalls that run the NTPD server. Even a bunch of linux distributions were shipping vulnerable daemons until a few weeks ago.
Anyone that's done '<package manager> install ntp' has the potential to be vulnerable, depending on configuration.
It's not a firewall problem. The target's server load will probably not even increase. But the pipe will be completely filled with bogus NTP responses. Legit traffic will barely trickle through whatever pipe you give it.
If you're concerned your NTP servers may have the monlist command enabled and therefore be available for attackers to use to mount these reflection attacks there is a Nessus plugin to check for this: http://www.tenable.com/plugins/index.php?view=single&id=7178...
29 comments
[ 2.7 ms ] story [ 61.7 ms ] threadAlthough some people might take this tool and a list of NTP servers and use it to generate a DDoS against a site or service, it's worth seeing just how simple these attacks are by examining this tool.
They are trivial to perform and the solution, BCP38, needs to be rolled out.
http://blog.cloudflare.com/understanding-and-mitigating-ntp-...
At least there isn't a supplied list of ntp servers.
Imagine my surprise as I was enjoying my cereal this morning and saw this on HN.
More specifically not really trivial for people who might use it irresponsibly because they don't understand the circumstances but hey it's just so easy.
I'm of the philosophy that there needs to be a barrier for entry sometimes.
Also, you (or whoever 'DaRkReD' is, referenced in the script comments), released this on 01-22-2014 to hackforums.com. Personally, I find arming the script kiddies to be inexcusable behavior.
From the hackforums post:
> NTP has a feature called monlist which lists recent clients. Asking for the monlist takes about 90 bytes, the monlist is about 1640 bytes and since NTP is UDP we can spoof the IP origin and those 1640 bytes will go to your target of choice. As a result we have an 18x amplification attack so for every 1 byte you get sent you get 18 bytes sent to the target your home internet can now DOS 18x faster!
Also, that's not very responsible to release this script on HackForums, the home of every script kiddie around Internet.
https://www.us-cert.gov/ncas/alerts/TA14-013A
> #Magic Packet aka NTP v2 Monlist Packet
> data=str("\x17\x00\x03\x2a") + str("\x00")*4
> packet = IP(dst=ntpserver,src=target)/UDP(sport=48947,dport=123)/Raw(load=data) #BUILD IT
This allows to send a much bigger DDoS from a less powerful uplink.
The target can't just firewall a port, as it does not rely on NTP being running on the target, but on some other unprotected machines.
Anyone that's done '<package manager> install ntp' has the potential to be vulnerable, depending on configuration.
https://labs.ripe.net/Members/mirjam/ntp-reflections
templates from the team cymru guys to secure your ntp installations, which have also been around a while.
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-t...