The largest distributed denial of service attack on public record was reported last week. It is the simplicity of the attack that has left many potential targets on edge. CloudFlare CEO Matthew Prince explains, “Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests.”
We asked our resident Internet expert, Jay Hennigan, to explain how such a large scale attack could occur using only a single server. He explained that the attackers took a commonly used application on the Internet called Network Time Protocol, NTP for short. It is used to keep the time-of-day clocks on computers in sync and is quite valuable in e-commerce as well as for accurate logging of events and synchronizing calendars.
Authoritative clocks are maintained by a number of agencies and network providers, and they are used to synchronize the clocks of other hosts. Typically, an organization will use a tree-like structure for all computers under its control. One or two computers are configured to obtain accurate time from, for example, the US National Bureau of Standards and all others within the company then query that company’s timer server. This cuts down on Internet traffic to the authoritative server and
provides a “close” clock to the company’s other hosts.
NTP uses a very simple transport method called UDP. A packet is sent requesting information, typically the time, and a response is sent back without any further checking. This simple query-response mechanism is what is being used as a mechanism to launch denial-of-service attacks.
The vulnerability is exploited by sending a request to multiple NTP servers with the source address forged to be that of the victim. These servers then send replies to the victim’s address. In addition to querying for the time, some implementations of NTP will display other results such as a lengthy list of previous queries, using a command “monlist” or one of its variants.
This allows an attacker to send a relatively small amount of traffic querying vulnerable NTP servers. These servers then send much larger return streams to the victim, overwhelming the target network with unwanted data and saturating the network.
How can you best protect yourself from this vulnerability in NTP?
- Disable status queries or restrict access. The most recent versions of NTP software are configured with the monlist command disabled. In addition, in almost all cases computers should not need to provide clocks to others, only act as clients to set their own clocks. Unfortunately the NTP server application is often enabled by default for no good reason.
- Set up a firewall. If you are in fact using a host as an NTP server for your company, set a firewall or access list to only allow your own IP address space to query the device.
- Turn off the server. If you don’t need NTP server functionality on a host, turn it off.
Addressing this vulnerability is important not only to be a good citizen of the Internet, but to avoid having your own outgoing bandwidth consumed by attack traffic.