NTP and Evil Geoff Huston, Randy Bush. The Evolution of Evil It used to be that you sent evil packets to your chosen victim but this exposed you, and.

Slides:



Advertisements
Similar presentations
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
CCNA – Network Fundamentals
Basic IP Traffic Management with Access Lists
DNS, DNSSEC and DDOS Geoff Huston APNIC February 2014.
NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 9: Access Control Lists Routing & Switching.
Access Control List ACL. Access Control List ACL.
IP Forwarding.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.
Mr. Mark Welton.  Firewalls are devices that prevent traffic from entering or leaving a network  Firewalls are often used between networks, or when.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Access Control List (ACL)
1 © 2004, Cisco Systems, Inc. All rights reserved. Chapter 9 Intermediate TCP/IP/ Access Control Lists (ACLs)
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Access-Lists Securing Your Router and Protecting Your Network.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Page 1 Access Lists Lecture 7 Hassan Shuja 04/25/2006.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
DoS/DDoS attack and defense
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Wild Stuff ExtendedACLGeneralACLStandardACL Got the Right Number?
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
Dynamic Packet Filtering and the Reflexive Access List.
The Aha’s of everyday trouble shooting Stateless firewall filtering in Junos Based on a true story.
Fragmentation Geoff Huston APNIC Labs. Before Packets… Digitised telephone networks switched time – Each active network transaction was a 56K constant.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Chapter 9 The Transport Layer The Internet Protocol has three main protocols that run on top of IP: two are for data, one for control.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Prepared By : Pina Chhatrala
Introduction to Networking
* Essential Network Security Book Slides.
D* (DNS, and DNSSEC and DDOS)
POOJA Programmer, CSE Department
Firewalls By conventional definition, a firewall is a partition made
CS4470 Computer Networking Protocols
Chapter 5 Transport Layer Introduction
Presentation transcript:

NTP and Evil Geoff Huston, Randy Bush

The Evolution of Evil It used to be that you sent evil packets to your chosen victim but this exposed you, and limited the damage you could cause Attacker Victim e.g. TCP SYN attack

The Evolution of Evil Then you enrolled a bot army to send evil which kept you hidden and increased the damage leverage Attacker Victim Massed connection attempts

The Evolution of Evil But now you co-opt the innocent into the evil cause, and use uncorrupted servers to launch the attack which hides the attacker(s) and uses the normal operation of servers to cause damage

UDP is a Fine Protocol UDP is used whenever you want a fast and highly efficient short transaction protocol Send a query to a server ( one packet) And the server sends an answer (one packet) UDP works best when the question and the answer are small (<512 bytes), but can work on larger transactions* Although it’s not as reliable as TCP The fine print (yes, you‘ll need to magnify this to read it!) Some UDP applications use multiple UDP packets for large answers (e.g. NTP). Some rely of IP level fragmentation (e.g. DNS with EDNS0) The problem with relying on fragmentation is firewall filtering and NATs (the trailing frags have no transport level header to assist in locating the NAT binding, as fragmentation is an IP level function) And the problem with multiple UDP packets is that the onus for reliable reassembly is pushed into the application, which may not necessarily do this well!, And the sender tends to barf large packet trains with no flow control, which can be bad as well *

UDP Mutation Unlike TCP there is no handshake between the two parties Send the server a UDP packet The server flips the source and destination IP addresses and responds with a UDP packet The server never checks the authenticity of the source address This allows a simple reflection attack

UDP Reflection Attack Attacker Victim Server Proto: UDP Dest: Server Source: Victim Proto: UDP Dest: Victim Source: Server note fake source!

UDP and DDOS Reflection Attacks This works “best” for a UDP-based service when: The service is widely used Servers are commonplace Servers are poorly maintained (or unmaintained) Clients are not “qualified” by the server (i.e. anyone can pose a query to a server) The answer is far bigger than the question

Hmmmmm What could that be?

The DNS!!! UDP-based query response service UDP is now almost ubiquitous for the DNS – EDNS0 wiped out the last vestiges of TCP fallback for most DNS resolvers The service is widely used Everybody is a client of the DNS Servers are commonplace Resolvers are scattered all over the Internet Servers are poorly maintained (or unmaintained) There are some 30 million open resolvers Clients are not “qualified” by the server (i.e. anyone can pose a query to a server) authoritative DNS name servers are promiscuous by design Many DNS resolvers are unintentionally promiscuous The answer is be far bigger than the question Just ask the right DNS question!

Co-Opting the DNS for Evil DNS DDOS attacks are now very commonplace They can (and do) operate at sustained gigabit speeds Efforts to mitigate tend to degrade the quality of the service as well as affecting the victim

What other UDP services are susceptible? chargen? snmp?

It’s as easy as 1, 2, 3! NTP is a simple UDP query/ response protocol, where the NTP server listens on UDP port 123 Time is important for network-distributed services So we’ve deployed a lot of NTP servers to distribute time across the network

NTP and UDP Reflection Attacks UDP-based query response service UDP is ubiquitous for NTP The service is widely used Time is widely distributed Servers are commonplace NTP servers are scattered all over the Internet Servers are poorly maintained (or unmaintained) NTP tends to be operated in a “configure and forget” mode Clients are not “qualified” by the server (i.e. anyone can pose a query to a server) NTP is not necessarily promiscuous But it is often configured in a promiscuous mode The answer is far bigger than the question Not normally…

NTP transactions are symmetric 76 octets client server The same packet is passed from client to server and back again, with local clock values added into the NTP PDU as the PDU is sent and received

NTP The NTP server’s time response is the same size as the NTP time query Which limits the types of attacks that are effective, as this becomes indirection rather than indirection + amplification But the NTP folk added another hook into the model The NTP command and control channel is also implemented in UDP, using the same UDP port

NTP The NTP server’s time response is the same size as the NTP time query Which limits the types of attacks that are effective, as this becomes indirection rather than indirection + amplification But the NTP folk added another hook into the model The NTP command and control channel is also implemented in UDP, using the same UDP port Ooops!

NTP Command and Control ntpdc – the “special” NTP query program “monlist” returns the IP addresses of the last (up to) 600 systems that this NTP server has interacted with ntpdc –c monlist (There are other commands, but “monlist” provides the highest amplification) One UDP packet of 220 bytes input generates up to 100 x 468 byte UDP packets in response That’s an impressive amplification factor of 212!)

What you need to be naughty  Generate a list of open NTP hosts (zmap, for example is a good starting point)  Write a simple script that sends monlist commands to the open server, with UDP source address spoofing  Enlist some coercible hosts to generate some 2,500 monlist queries per second  And the servers will respond with a 1Gbps DDOS stream!  Rinse, repeat and multiply To Do List

What you need to be nice  Seal up your NTP – The following Team Cymru’s secure template for NTP should help: cymru.org/ReadingRoom/Templates/secure-ntp- template.html  Disable monlist – Upgrade NTP to at least version 4.2.7p26

Being Nice on a (cisco ios) Router ios (recent 12.* releases) access-list 46 remark utility ACL to block everything access-list 46 deny any ! access-list 47 remark NTP peers/servers we sync to/with access-list 47 permit access-list 47 permit access-list 47 deny any ! ! NTP access control ntp access-group query-only 46 ! deny all NTP control queries ntp access-group serve 46 ! deny all NTP time and control by default ntp access-group peer 47 ! permit sync to configured peer(s)/server(s) ntp access-group serve-only 46 ! deny NTP time sync requests

Being Nice on a (cisco xr) Router ios/xr Ntp server Server source Loopback0 update-calendar ! ! local packet transport service config lpts pifib hardware police location 0/2/CPU0 flow ntp default rate 0 flow ntp known rate 64 ! ! The input/loopback filter for xr control-plane management-plane inband interface all !!! oh, no config here for ntp, I guess LPTS handles it all?

juniper term ntp { from { source-address { /0; /* NTP servers to get time from */ except; except; } protocol udp; port ntp; } then { discard; } Being Nice on a (juniper) Router The alternative is to use a loopback default deny filter, in which case you would need the inverse form of the filter to accept NTP packets from the configured servers: term ntp { from { source-address { /23; /32; } protocol udp; port ntp; } then { count ntp-requests; accept; } This is a firewall filter fragment for a loopback filter which assumes a default permit

Being nice on a host /etc/ntp.conf # By default, exchange time with everybody, but don't allow # configuration. # restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # # Local users may interrogate the ntp server more closely. restrict restrict ::1

But… Being nice is not always possible – There is a significant volume of embedded functionality in appliances and consumerware – And enough of it includes NTP to be a problem that is not going to be “fixed” anytime soon Which leads to the underlying observation: that despite more than 15 years of lip service, without much actual support in our networks, Source Address Filtering really IS important!

How to be nice to each other  Perform Source Address Validation filtering on all outgoing ports – i.e. deploy BCP38 in your network!

Some Useful Resources NTP Monlist command: Description of NTP attack Sealing up NTP – a template for ntp.conf Open NTP servers BCP 38 BCP 38 tracking

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.