“NTP Reflection” Attacks (and Cryptocat)

In the weeks leading up Christmas, attackers apparently discovered the NTP ‘monlist’ command and started using it to launch attacks en masse.

What is NTP ‘monlist’? First of all, NTP (Network Time Protocol) is meant to sync the clocks between different computers. When an OSX machine asks whether to get the time from Cupertino, it uses NTP.

NTP is the kind of thing you set up once and never touch again. Fine if you’re just running a laptop (though why you want to be connecting to Cupertino regularly is beyond me, who knows what the NSA could do to ya).

If you’re running a server, that can be a little more of a problem. “Set and forget” means you don’t update it, which means old security holes hang around. And if most people have these holes hanging around then those holes get exploited in large numbers.

Enter the NTP protocol’s ‘monlist’ command. What does monlist do? The dumbest damn feature you could ever program into an unauthenticated system. It tells you the last 600 people who used the server.

This is kind of like buying something from a web shop, and asking “oh by the way could you give me the names and addresses of the last 600 people that bought from you.” And the web shop duly complying.

Aaanyway, as you can imagine the list is pretty long. Sometimes multi-megabytes long. On the other hand, all it takes to trigger this multi-megabyte reply is a couple of bytes’ worth of request.

We now have a situation where there’s some serious asymmetry. Send out bytes, get back megabytes. It’s like a byte multiplier!

How to make it do something nefarious? Easy. Send out the request, but forge the return address. Like sending a nasty letter to someone in authority but writing down your enemy’s return address on the envelope, all of a sudden a large pile of crap gets dumped on their doorstep.

For DDoS purposes, this process just gets automated. Instead of one request, the software puts in a couple billion.

The biggest facepalm here is the latest version of NTP eliminates ‘monlist’ entirely. So if people kept their servers up to date it wouldn’t have been an issue.

Cryptocat: Grr. In case you thought the US Government wasn’t obssessed about influencing any effort to bring crypto-to-the-masses… Cryptocat’s in a similar situation to Tor, getting the bulk of their funding from Radio Free Asia (i.e, the CIA) and the rest from the New America Foundation via OpenITP.

Srsly? The world needs a few more Cryptophone+Wau Holland Foundations. (the Wau Holland Foundation is the CCC’s answer to “how to fund hacker stuff without asking for CIA/government money,” and I assume — but don’t know — that part of their operating income comes from closely associated commercial ventures like Cryptophone. It looks like the Omidayr “First Look” venture will be using this same two-part “commercial venture to fund nonprofit” architecture, which is good, but we need more of ’em. Moar capitalism to smash the system! Err, wait…) https://crypto.cat/documents/report-1213.pdf


“NTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network. If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.

NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don’t worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.

How do NTP reflection attacks work?

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address.

In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic[…]

How can you protect your servers? The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely. If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file. This will disable access to mode 6 and 7 query packetts (which includes monlist).

By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack.”

%d bloggers like this: