Greetings and happy V-day.
This week I had an old forgotten server compromised by several attacks and added to a bot net. Most of them were well knowns, but the one the got my attention was a high usage of the NTP ports to a wide range of IPs.
Now I figure they were just using the NTP port for command and control ports until I saw that traffic even after I rebuilt the server. After confirming the traffic wasn't coming from an application on the server I did some more digging. With the help found out about this exploit.
DRDoS / Amplification Attack using ntpdc monlist command
Here we found some great info on what the attack was about and how to check for it.
I won't go into too many details here, but it seems that many OSs out there have this issue which makes this even more important to beef up your systems.
This is after I have shut down the NTP port. But you will see a lot of this one way or the other. This seems to be the thiey method, just spray requests until you get something.
The way they do this is quite simple. On Linux you can use both nmap and the ntpdc program.
ntpdc is the NTP daemon control program, with the "-c monlist" command line switch you can see if it will respond tot he MON_GETLIST_1 function. You can also use the sysinfo, version, and kerninfo switches to scrap just about everything about the service.
Nmap has a scrip, ntp-monlist, which will do about the same for you
----------------------------------------------------------------------------
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.041s latency).
PORT STATE SERVICE
123/udp open ntp
| ntp-monlist:
| Public Servers (3)
| 199.233.236.226 209.114.111.1 217.7.239.199
| Public Clients (52)
| 12.91.144.54 72.10.7.90 216.229.166.132 216.229.185.71
| 64.35.139.168 198.36.182.163 216.229.166.187 216.229.185.72
| 64.35.139.169 206.63.184.116 216.229.173.6 216.229.185.73
| 64.35.139.170 208.107.61.154 216.229.176.122 216.229.185.74
| 66.117.72.169 216.229.160.1 216.229.177.38 216.229.185.76
| 66.201.136.10 216.229.160.39 216.229.177.46 216.229.185.78
| 66.201.155.222 216.229.161.137 216.229.177.134 216.229.185.80
| 66.225.8.16 216.229.161.142 216.229.185.34 216.229.185.81
| 66.225.8.21 216.229.162.134 216.229.185.63 216.229.185.84
| 66.225.8.62 216.229.166.21 216.229.185.65 216.229.185.85
| 66.225.29.8 216.229.166.84 216.229.185.67 216.229.185.86
| 69.41.148.253 216.229.166.115 216.229.185.69 216.229.185.87
| 69.41.151.18 216.229.166.131 216.229.185.70 216.229.185.88
| Other Associations (1)
|_ 216.229.187.153 (You?) seen 5 times. last tx was unicast v2 mode 7
Now I figure they were just using the NTP port for command and control ports until I saw that traffic even after I rebuilt the server. After confirming the traffic wasn't coming from an application on the server I did some more digging. With the help found out about this exploit.
DRDoS / Amplification Attack using ntpdc monlist command
Here we found some great info on what the attack was about and how to check for it.
I won't go into too many details here, but it seems that many OSs out there have this issue which makes this even more important to beef up your systems.
Be in the Know!
So there are a few ways you can get your self in the know with this exploit. Lets start with the basics of what it preys on. NTP has a function called MONLIST, this is called by a datagram with an NTP request code of 42(MON_GETLIST_1). If you are being hit by this you will some thing like this in wireshark.
The way they do this is quite simple. On Linux you can use both nmap and the ntpdc program.
ntpdc is the NTP daemon control program, with the "-c monlist" command line switch you can see if it will respond tot he MON_GETLIST_1 function. You can also use the sysinfo, version, and kerninfo switches to scrap just about everything about the service.
Nmap has a scrip, ntp-monlist, which will do about the same for you
----------------------------------------------------------------------------
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.041s latency).
PORT STATE SERVICE
123/udp open ntp
| ntp-monlist:
| Public Servers (3)
| 199.233.236.226 209.114.111.1 217.7.239.199
| Public Clients (52)
| 12.91.144.54 72.10.7.90 216.229.166.132 216.229.185.71
| 64.35.139.168 198.36.182.163 216.229.166.187 216.229.185.72
| 64.35.139.169 206.63.184.116 216.229.173.6 216.229.185.73
| 64.35.139.170 208.107.61.154 216.229.176.122 216.229.185.74
| 66.117.72.169 216.229.160.1 216.229.177.38 216.229.185.76
| 66.201.136.10 216.229.160.39 216.229.177.46 216.229.185.78
| 66.201.155.222 216.229.161.137 216.229.177.134 216.229.185.80
| 66.225.8.16 216.229.161.142 216.229.185.34 216.229.185.81
| 66.225.8.21 216.229.162.134 216.229.185.63 216.229.185.84
| 66.225.8.62 216.229.166.21 216.229.185.65 216.229.185.85
| 66.225.29.8 216.229.166.84 216.229.185.67 216.229.185.86
| 69.41.148.253 216.229.166.115 216.229.185.69 216.229.185.87
| 69.41.151.18 216.229.166.131 216.229.185.70 216.229.185.88
| Other Associations (1)
|_ 216.229.187.153 (You?) seen 5 times. last tx was unicast v2 mode 7
---------------------------------------------------------------------------------
Here is what ntpdc would give you:
--------------------------------------------------------------------------------
host:~ # ntpdc -c version xxx.xxx.xxx.xxx
ntpdc 4.2.6p5@1.2349-o Mon Jan 28 10:56:47 UTC 2013 (1)
host:~ # ntpdc -c sysinfo xxx.xxx.xxx.xxx
system peer: 0.0.0.0
system peer mode: unspec
leap indicator: 11
stratum: 16
precision: -20
root distance: 0.00000 s
root dispersion: 0.00195 s
reference ID: [73.78.73.84]
reference time: 00000000.00000000 Wed, Feb 6 2036 22:28:16.000
system flags: auth monitor ntp kernel stats
jitter: 0.000000 s
stability: 0.000 ppm
broadcastdelay: 0.003998 s
authdelay: 0.000000 s
host:~ # ntpdc -c monlist xxx.xxx.xxx.xxx
remote address port local address count m ver rstr avgint lstint
===============================================================================
216.229.187.153 38995 216.229.160.10 3 7 2 180 7 0
66.225.29.8 123 216.229.160.10 1 3 4 180 0 1
ppp70-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 5
spk.go180.net 511 216.229.160.10 12 1 3 180 10 5
209.118.204.201 123 216.229.160.10 3 4 4 1 65 5
206.63.184.116 333 216.229.160.10 27 3 4 1 4 7
lanip-177-46.go180.net 123 216.229.160.10 2 3 4 180 130 7
ntp3.Housing.Berkeley. 123 216.229.160.10 3 4 4 1 63 8
12.91.144.54 123 216.229.160.10 3 1 3 1 64 9
69.41.148.253 123 216.229.160.10 5 3 4 1 32 11
ns2.deakin.edu.au 123 216.229.160.10 3 4 4 1 63 11
64-35-139-171.gohighsp 123 216.229.160.10 1 1 3 180 0 13
ppp71-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 15
198.36.182.163 38026 216.229.160.10 7 3 3 1 20 19
66-117-72-169.gohighsp 123 216.229.160.10 2 3 4 180 65 20
as2-pdt.go180.net 123 216.229.160.10 2 1 3 1 64 25
lanip-177-38.go180.net 123 216.229.160.10 1 3 4 180 0 26
host-154-61-107-208-st 10 216.229.160.10 4 1 3 1 13 26
216.229.173.6 123 216.229.160.10 1 3 4 180 0 26
sc2200-secondary.highs 123 216.229.160.10 2 3 3 180 64 26
srp5-0-br6-levy-spk.go 123 216.229.160.10 2 3 4 180 66 28
srp5-0-levy-spk.go180. 123 216.229.160.10 2 1 4 180 64 30
66.225.8.16 123 216.229.160.10 1 3 4 180 0 30
ppp76-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 31
ppp78-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 32
ppp88-as1-spk.go180.ne 123 216.229.160.10 2 3 4 180 63 40
vlan101.cr2.spk.go180. 123 216.229.160.10 2 1 4 180 65 44
barracuda.ci.walla-wal 110 216.229.160.10 2 3 3 1 64 45
ppp80-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 46
66.201.155.222 123 216.229.160.10 2 1 3 1 64 46
mail.disimaging.com 123 216.229.160.10 1 3 4 180 0 48
ppp74-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 49
69.41.151.18 123 216.229.160.10 2 3 4 1 64 53
ppp63-as1-spk.go180.ne 123 216.229.160.10 2 3 4 180 63 54
as2-levy-spk.go180.net 123 216.229.160.10 1 1 3 180 0 56
66-117-72-218.gohighsp 123 216.229.160.10 1 3 4 180 0 57
f0-0-br2-wal.go180.net 123 216.229.160.10 1 1 4 180 0 72
ppp34-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 79
ppp73-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 85
66.225.8.21 123 216.229.160.10 1 3 4 180 0 85
sc2200-primary.highspe 123 216.229.160.10 1 3 3 180 0 88
ppp67-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 94
ppp81-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 101
216.229.166.121 123 216.229.160.10 1 1 3 180 0 101
ppp84-as1-spk.go180.ne 123 216.229.160.10 1 3 4 180 0 101
64-35-142-218.gohighsp 134 216.229.160.10 1 1 3 180 0 105
66.225.8.62 123 216.229.160.10 1 3 4 180 0 116
con1-psc.go180.net 123 216.229.160.10 1 1 3 180 0 135
host:~ #
------------------------------------------
You can see that ntpdc gives you quite a bit more, but nmap makes much quicker work of it.
What to do about it?
Well now that you know what is going on, you can stop it, right? Well this depends on your setup.
For very good info on locking down NTP take a look at http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
Sadly they don't have much for windows for windows and I was unable to find anything about hardening windows NTP servers. With this I would say, as I do about any windows server, don't expose this to the internet!!!!
Proactive!!!!
If you want to be proactive about this there are a few ways you can go about it.
The best is the limit your public facing NTP ports, this limits what the bot nets can even get to.
If have to have a NTP port public facing then you should check and follow the link above to learn how to harden it.
Use the command
-----------------
nmap -sU -pU:123 -Pn -n --script=ntp-monlist "Your test host here"
------------------
Once you are locked down you should be good to go!!
Conclusion
I want to mess around more with the NTP exploit to better understand how they go about implementing the attack. So look out for a post about the results of my honeypot setup for NTP.