On Thursday, 21 November 2013 11:42:39 UTC-5, Rudolf E. Steiner wrote:
> Hi.
>
>
>
> We have strong reflection-attacks on our public timeserver ("ntpd 4.2.6p5").
>
>
>
> The strange behavior is the server received one packet and sends 100 packets
>
> to the target.
>
>
>
> Incoming packet:
>
>
>
> ----- begin -----
>
> Network Time Protocol (NTP Version 2, private)
>
> Flags: 0x17
>
> 0... .... = Response bit: Request (0)
>
> .0.. .... = More bit: 0
>
> ..01 0... = Version number: NTP Version 2 (2)
>
> .... .111 = Mode: reserved for private use (7)
>
>
>
> Auth, sequence: 0
>
> 0... .... = Auth bit: 0
>
> .000 0000 = Sequence number: 0
>
>
>
> Implementation: XNTPD (3)
>
>
>
> Request code: MON_GETLIST_1 (42)
>
> ----- end -----
>
>
>
> First outgoing packet:
>
>
>
> ----- begin -----
>
> Network Time Protocol (NTP Version 2, private)
>
> Flags: 0xd7
>
> 1... .... = Response bit: Response (1)
>
> .1.. .... = More bit: 1
>
> ..01 0... = Version number: NTP Version 2 (2)
>
> .... .111 = Mode: reserved for private use (7)
>
>
>
> Auth, sequence: 0
>
> 0... .... = Auth bit: 0
>
> .000 0000 = Sequence number: 0
>
>
>
> Implementation: XNTPD (3)
>
>
>
> Request code: MON_GETLIST_1 (42)
>
> ----- end -----
>
>
>
> Second outgoing packet:
>
>
>
> ----- begin -----
>
> Network Time Protocol (NTP Version 2, private)
>
> Flags: 0xd7
>
> 1... .... = Response bit: Response (1)
>
> .1.. .... = More bit: 1
>
> ..01 0... = Version number: NTP Version 2 (2)
>
> .... .111 = Mode: reserved for private use (7)
>
>
>
> Auth, sequence: 1
>
> 0... .... = Auth bit: 0
>
> .000 0001 = Sequence number: 1
>
>
>
> Implementation: XNTPD (3)
>
>
>
> Request code: MON_GETLIST_1 (42)
>
> ----- end -----
>
>
>
> [...]
>
>
>
> Last outgoing packet:
>
>
>
> ----- begin -----
>
> Network Time Protocol (NTP Version 2, private)
>
> Flags: 0x97
>
> 1... .... = Response bit: Response (1)
>
> .0.. .... = More bit: 0
>
> ..01 0... = Version number: NTP Version 2 (2)
>
> .... .111 = Mode: reserved for private use (7)
>
>
>
> Auth, sequence: 99
>
> 0... .... = Auth bit: 0
>
> .110 0011 = Sequence number: 99
>
>
>
> Implementation: XNTPD (3)
>
>
>
> Request code: MON_GETLIST_1 (42)
>
> ----- end -----
>
>
>
> This means, the attacker sends _one_ packet and gets _100_ packets to his
>
> target.
>
>
>
> How can I disable this behavior of ntpd?
>
>
>
> --
>
> Rudolf E. Steiner
>
> [email protected]
We got hit by the same thing today, right around noon. I don't have detailed
packet captures like Rudolph (thanks for that, BTW) but my 100Mbps pipe was
completely filled from these requests. Shutting down NTP on my two public
servers stopped it.
I've since implemented Michael's suggestion and I will be re-opening port 123
in the firewall... maybe later...
Ian
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
