Overview
Network Time Protocol (NTP) is an Internet standard protocol that is used to synchronize the clocks of devices to some time references. NTP can be used to synchronize the clocks among multiple distributed servers and clients. This way, the clocks of all devices on the Internet can be the same.
Description
Attack mechanism
- Identify targets of attacks, which include attack objects and NTP server resources on the network.
- Forge the IP address of an attack target and send clock synchronization requests by
using the spoofed IP address to an NTP server. Attackers send requests that contain
monlist commands, which increases attack severity.
NTP includes a monlist feature, which is used to monitor NTP servers. The monlist feature has a vulnerability. After a NTP server responds to a monlist command, the server returns the IP addresses of the last 600 clients that have performed time synchronization with the NTP server. The system splits response packages every six IP addresses and returns up to 100 packages for a single monlist command. In this case, the NTP server is overwhelmed with an amplified amount of UDP traffic.
Laboratory tests show that if a request packet is 234 bytes long, each response packet is 482 bytes long. The traffic is amplified by 206 times. This result is calculated by using the following formula: 482 × 100/234 = 206. The high volume of traffic overwhelms the network, and the services become unavailable.
- Purchase sufficient bandwidth resources.
- Use DDoS mitigation services to scrub abnormal inbound traffic and redirect normal traffic to servers.
- Configure the firewall to allow only the traffic between the NTP servers and fixed IP addresses over the UDP port 123.
- Disable the monlist feature of the NTP server.
- Upgrade the NTP server version to 4.2.7 p26.
Applicable scope
- Anti-DDoS Pro and Anti-DDoS Premium