Dismantling DRDoS Attacks, the Offensive way

  • Author:xnite
  • Date:2014/02/09
NTP monlist reply packet in wireshark

NTP monlist reply packet in wireshark

Late 2013/Early 2014 we started noticing a new reflected denial of service attack being used in the wild. This has been none other than the NTP amplification attack, which utilizes UDP spoofing to request monlist, which causes the NTPd to send the reply data back to the target host.

As of NTPd 2.7 the ability to request monlist has been removed, and in versions prior to 2.7 monlist can be disabled. In the wild so many NTPd’s have been left available for this reflection attack, so many in fact that the list of about 3,000 NTPd’s has been getting shared around. After analyzing various NTP based attacks, I have gathered a list of almost 3K NTPd’s, many of which are seen in multiple attacks. Since this list of servers appears to be the ones most often used, by making these servers unavailable we could shut down a majority of the DDoS power in these attacks.

I wrote a tool to gather the abuse contact email addresses of each NTPd, and alert them that the systems are being used for malicious purposes.

The program I wrote would analyze the attack logs, determine if each packet was involved in the attack, and then find out if it was a packet sent from an NTP server. For each NTP monlist packet it found, it would look up the IP in the ARIN whois records, and dispatch an email to the abuse contact.

Dear Admin,

The following IP address, %IP_ADDRESS%, which is located on your network has been actively exploited to launch launch a distributed denial of service attack against IP addresses in one or more of the following ranges: %MY_IP_ADDRESS_RANGES%.

The attack was detected as NTP Amplification, and the CVE on the exploited vulnerability can be found here: http://www.cvedetails.com/cve/CVE-2013-5211/.

Please patch, or notify your customer to patch this vulnerability to help make the internet a better place for us all.

If you require any other information, such as TCP Dump logs from the attack, please contact me at %MY_CONTACT_EMAIL%

THIS EMAIL IS NOT ACTIVELY MONITORED, DO NOT REPLY TO THIS EMAIL!!

Since an email was dispatched for each IP address, roughly 3,000 emails were dispatched to alert network administrators across the globe. I had considered the risks of sending out so many emails, especially since many companies would receive potentially hundreds of separate messages from me. I decided to go this route not to be an annoyance, but to get the attention of these companies.

As an employee for an NOC, if you were to look at your department inbox to see so many emails about an issue it’s going to be the first thing on your mind. I wanted to make sure I got their attention, and that this issue would be their top priority. The longer these attack methods are left available, the more damaging they would be to companies such as EA Games, or League of Legends, who were a couple of the first to fall victim to this attack vector.

Within 12 hours of the email campaign, many NOC admins sent replies. Several administrators have already patched their NTPd’s, while many were happy to be notified of the issue.

One particular company had been noticing an increase in traffic, since they house many NTP servers at their data center, and they agreed to even scan their entire network for out-dated NTPd’s to help solve the problem.

Unfortunately one data center, instead of fixing the problem, decided to entirely block NTP traffic on their entire network to mitigate abuse of the service. In another instance, my script had mistakenly contacted the IP registrants contact instead of the abuse contact at a popular cable ISP. This particular ISP actually blocked incoming emails from my domain so that it is now impossible for me to even contact their abuse department.

Another popular DSL provider had replied to our messages as well, and I am happy to announce that their NTP servers have been updated to fix the monlist abuse issue.

I’m not sure if this was policy at the company, or the NOC admin was being a smart-ass (maybe a bit of both), but one company manually replied to each email I sent to let me know that the issue had been solved, complete with a smiley face. This made me chuckle a bit.

Thanks to all of the companies that have been contacted for your understanding, and support in this issue. This has been a very successful awareness campaign, and I am hoping to see many more great results in the days ahead.

In the mean time, if you or your network runs NTP servers, make sure that it is not vulnerable to this attack vector, or you may be seeing an email or two (or several hundred) from me.

See Also: NTP Amplification Attacks Using CVE-2013-5211

Robert Whitney
I'm a geek, gamer and breaker of things. I'm a programmer by day and an apache attack helicopter by night. Some would call me their spirit animal.
Opinions expressed here, even 💩 ones, are my own and do not represent those of my employer or associates.
Referral Links

Using my referral links is the best way to help me pay for my projects and development servers and get something out of it for yourself.

Copyright©2011 - 2018, Robert Whitney; All rights reserved.