Monday, June 6, 2016

Sample 2013 NTP Reflection Vulnerability

I see this request a lot. It's an old one and pretty simple to explain.

User Datagram Protocol, Src Port: 42024 (42024), Dst Port: 123 (123)
Network Time Protocol (NTP Version 2, private)
   Flags: 0x17, Response bit: Request, Version number: NTP Version 2, Mode: reserved for private use
   Auth, sequence: 23
   Implementation: XNTPD (3)
   Request code: MON_GETLIST_1 (42)
   0000 .... = Err: No error (0x00)
   .... 0000 0000 0000 = Number of data items: 0
   0000 .... = Reserved: 0x00
   .... 0000 0000 0000 = Size of data item: 0x0000


I believe it's a scan looking for an NTP reflection vulnerability that could be used then for a DDoS attack. At a high level here's how I understand it. The attacker sends a request to port 123 for a "mon_getlist" request and if the server is running NTP and is vulnerable the server returns a list of the last X number of IPs that have connected to it. Why is that an issue? Well, first off, the request is small (size wise, there is nothing to this packet, very tinY) but the response is HUGE, it could respond with hundred's of ip addresses and the packets can get very large. The other issue is that in this protocol source ips can be spoofed and thus the attacker can send a packet from 1 ip address, but spoof the source as another ip address (their victim) and what will happen is the attacker sends a bunch of tiny small NTP requests, but since the source is spoofed, the vulnerable NTP server sends a bunch of HUGE responses back to the spoofed ip address , who ends up being the victim. The victim will get all these huge packets sent to them and their servers will be overwhelmed and crash or cause a Denial of Service. The fix appears that you should disable this "mon_getlist" feature as it's not needed. Here's a few better links that explain this attack in more detail. [1] [2] [3]

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment