14 February 2014

NTP MON_LIST DDOS attacks. How to spot the hole.

Greetings and happy V-day.

This week I had an old forgotten server compromised by several attacks and added to a bot net. Most of them were well knowns, but the one the got my attention was a high usage of the NTP ports to a wide range of IPs.
Now I figure they were just using the NTP port for command and control ports until I saw that traffic even after I rebuilt the server. After confirming the traffic wasn't coming from an application on the server I did some more digging. With the help found out about this exploit.
DRDoS / Amplification Attack using ntpdc monlist command

Here we found some great info on what the attack was about and how to check for it.
 I won't go into too many details here, but it seems that many OSs out there have this issue which makes this even more important to beef up your systems.

Be in the Know!


So there are a few ways you can get your self in the know with this exploit. Lets start with the basics of what it preys on. NTP has a function called MONLIST, this is called by a datagram with an NTP request code of 42(MON_GETLIST_1). If you are being hit by this you will some thing like this in wireshark.

This is after I have shut down the NTP port. But you will see a lot of this one way or the other. This seems to be the thiey method, just spray requests until you get something.

The way they do this is quite simple. On Linux you can use both nmap and the ntpdc program.
ntpdc is the NTP daemon control program, with the "-c monlist" command line switch you can see if it will respond tot he MON_GETLIST_1 function. You can also use the sysinfo, version, and kerninfo switches to scrap just about everything about the service.

Nmap has a scrip, ntp-monlist, which will do about the same for you
----------------------------------------------------------------------------
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.041s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-monlist:
|   Public Servers (3)
|       199.233.236.226 209.114.111.1   217.7.239.199
|   Public Clients (52)
|       12.91.144.54    72.10.7.90      216.229.166.132 216.229.185.71
|       64.35.139.168   198.36.182.163  216.229.166.187 216.229.185.72
|       64.35.139.169   206.63.184.116  216.229.173.6   216.229.185.73
|       64.35.139.170   208.107.61.154  216.229.176.122 216.229.185.74
|       66.117.72.169   216.229.160.1   216.229.177.38  216.229.185.76
|       66.201.136.10   216.229.160.39  216.229.177.46  216.229.185.78
|       66.201.155.222  216.229.161.137 216.229.177.134 216.229.185.80
|       66.225.8.16     216.229.161.142 216.229.185.34  216.229.185.81
|       66.225.8.21     216.229.162.134 216.229.185.63  216.229.185.84
|       66.225.8.62     216.229.166.21  216.229.185.65  216.229.185.85
|       66.225.29.8     216.229.166.84  216.229.185.67  216.229.185.86
|       69.41.148.253   216.229.166.115 216.229.185.69  216.229.185.87
|       69.41.151.18    216.229.166.131 216.229.185.70  216.229.185.88
|   Other Associations (1)
|_      216.229.187.153 (You?) seen 5 times. last tx was unicast v2 mode 7

---------------------------------------------------------------------------------

Here is what ntpdc would give you:
--------------------------------------------------------------------------------
host:~ # ntpdc -c version xxx.xxx.xxx.xxx
ntpdc 4.2.6p5@1.2349-o Mon Jan 28 10:56:47 UTC 2013 (1)
host:~ # ntpdc -c sysinfo xxx.xxx.xxx.xxx
system peer:          0.0.0.0
system peer mode:     unspec
leap indicator:       11
stratum:              16
precision:            -20
root distance:        0.00000 s
root dispersion:      0.00195 s
reference ID:         [73.78.73.84]
reference time:       00000000.00000000  Wed, Feb  6 2036 22:28:16.000
system flags:         auth monitor ntp kernel stats 
jitter:               0.000000 s
stability:            0.000 ppm
broadcastdelay:       0.003998 s
authdelay:            0.000000 s
host:~ # ntpdc -c monlist xxx.xxx.xxx.xxx
remote address          port local address      count m ver rstr avgint  lstint
===============================================================================
216.229.187.153        38995 216.229.160.10         3 7 2    180      7       0
66.225.29.8              123 216.229.160.10         1 3 4    180      0       1
ppp70-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0       5
spk.go180.net            511 216.229.160.10        12 1 3    180     10       5
209.118.204.201          123 216.229.160.10         3 4 4      1     65       5
206.63.184.116           333 216.229.160.10        27 3 4      1      4       7
lanip-177-46.go180.net   123 216.229.160.10         2 3 4    180    130       7
ntp3.Housing.Berkeley.   123 216.229.160.10         3 4 4      1     63       8
12.91.144.54             123 216.229.160.10         3 1 3      1     64       9
69.41.148.253            123 216.229.160.10         5 3 4      1     32      11
ns2.deakin.edu.au        123 216.229.160.10         3 4 4      1     63      11
64-35-139-171.gohighsp   123 216.229.160.10         1 1 3    180      0      13
ppp71-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      15
198.36.182.163         38026 216.229.160.10         7 3 3      1     20      19
66-117-72-169.gohighsp   123 216.229.160.10         2 3 4    180     65      20
as2-pdt.go180.net        123 216.229.160.10         2 1 3      1     64      25
lanip-177-38.go180.net   123 216.229.160.10         1 3 4    180      0      26
host-154-61-107-208-st    10 216.229.160.10         4 1 3      1     13      26
216.229.173.6            123 216.229.160.10         1 3 4    180      0      26
sc2200-secondary.highs   123 216.229.160.10         2 3 3    180     64      26
srp5-0-br6-levy-spk.go   123 216.229.160.10         2 3 4    180     66      28
srp5-0-levy-spk.go180.   123 216.229.160.10         2 1 4    180     64      30
66.225.8.16              123 216.229.160.10         1 3 4    180      0      30
ppp76-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      31
ppp78-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      32
ppp88-as1-spk.go180.ne   123 216.229.160.10         2 3 4    180     63      40
vlan101.cr2.spk.go180.   123 216.229.160.10         2 1 4    180     65      44
barracuda.ci.walla-wal   110 216.229.160.10         2 3 3      1     64      45
ppp80-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      46
66.201.155.222           123 216.229.160.10         2 1 3      1     64      46
mail.disimaging.com      123 216.229.160.10         1 3 4    180      0      48
ppp74-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      49
69.41.151.18             123 216.229.160.10         2 3 4      1     64      53
ppp63-as1-spk.go180.ne   123 216.229.160.10         2 3 4    180     63      54
as2-levy-spk.go180.net   123 216.229.160.10         1 1 3    180      0      56
66-117-72-218.gohighsp   123 216.229.160.10         1 3 4    180      0      57
f0-0-br2-wal.go180.net   123 216.229.160.10         1 1 4    180      0      72
ppp34-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      79
ppp73-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      85
66.225.8.21              123 216.229.160.10         1 3 4    180      0      85
sc2200-primary.highspe   123 216.229.160.10         1 3 3    180      0      88
ppp67-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0      94
ppp81-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0     101
216.229.166.121          123 216.229.160.10         1 1 3    180      0     101
ppp84-as1-spk.go180.ne   123 216.229.160.10         1 3 4    180      0     101
64-35-142-218.gohighsp   134 216.229.160.10         1 1 3    180      0     105
66.225.8.62              123 216.229.160.10         1 3 4    180      0     116
con1-psc.go180.net       123 216.229.160.10         1 1 3    180      0     135
host:~ # 
------------------------------------------

You can see that ntpdc gives you quite a bit more, but nmap makes much quicker work of it.


What to do about it?


Well now that you know what is going on, you can stop it, right? Well this depends on your setup.
For very good info on locking down NTP take a look at http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

Sadly they don't have much for windows for windows and I was unable to find anything about hardening windows NTP servers. With this I would say, as I do about any windows server, don't expose this to the internet!!!!

Proactive!!!!


If you want to be proactive about this there are a few ways you can go about it. 
The best is the limit your public facing NTP ports, this limits what the bot nets can even get to.
If have to have a NTP port public facing then you should check and follow the link above to learn how to harden it.
Use the command 
-----------------
nmap -sU -pU:123 -Pn -n --script=ntp-monlist "Your test host here"

------------------

Once you are locked down you should be good to go!!

Conclusion


I want to mess around more with the NTP exploit to better understand how they go about implementing the attack. So look out for a post about the results of  my honeypot setup for NTP.

No comments:

Post a Comment