DDOS amplification attack vulnerability in exposed NTP mode 6

Software Affected:

• NTP software prior to version 4.2.7

Abstract:

The Network Time Protocol is a protocol used to synchronize system time to Internet standard time. The control mode (mode 6) functionality in Network Time Protocol service have a vulnerability which could allow an unauthenticated remote attacker to cause a reflected Denial of Service (DoS) condition.

Technical Description:

NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. This vulnerability is due to inappropriate security safeguards that could lead to modify configuration. If the “restrict default noquery” is not specified, or the “monlist” command is not disabled, it allows remote attackers to cause a denial of service (traffic amplification).

Vulnerability Assessment:

To verify the vulnerability, it is advisable to execute the command mentioned below from external network:

Command:

• ntpq -c rv <target IP>

If the vulnerability exists, output will give information including associd, status, version, system, processor etc.

Another command to check service status is give below:

• nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target IP>

Countermeasures and Best practices for prevention:

• It is advised to make sure that the IP of internet-facing assets cannot be spoofed by implementing security measures such as BCP 38 filtering.
• Upgrade to 4.2.8p9 version or latest NTP Project versions on public facing NTP servers.
• If a public facing NTP server cannot be upgraded to 4.2.8p9 version, add the “noquery” in “restrict default” line in your ntp.conf file for disabling the mode 6 functionality as shown below:
• “restrict default kod nomodify notrap nopeer noquery”
• “restrict -6 default kod nomodify notrap nopeer noquery”
• If an upgrade of NTP daemon is not possible, disable the “monlist command” or enforce that requests come from valid sources and trusted networks only.
• Advised to monitor your ntpd instances properly, and use auto-restart ntpd (without -g) if it stops running.

Solution:

Apply the best security practices available at:

• https://www.cisa.gov/news-events/alerts/2014/01/13/ntp-amplification-attacks-using-cve-2013-5211

References:

• https://www.acunetix.com/blog/articles/ntp-reflection-ddos-attacks/
• https://www.freebsd.org/security/advisories/FreeBSD-SA-16:39.ntp.asc
• https://www.kb.cert.org/vuls/id/633847
• https://tools.cisco.com/security/center/viewAlert.x?alertId=49822
• https://www.cisa.gov/news-events/alerts/2014/01/13/ntp-amplification-attacks-using-cve-2013-5211