
Create a DDOS attack using NTP servers - uberspot
https://github.com/vpnguy/ntpdos
======
mburgosh
Spent the night last night dealing with this attack. Here is what you should
know to deal with it:

[https://www.us-cert.gov/ncas/alerts/TA14-013A](https://www.us-
cert.gov/ncas/alerts/TA14-013A)

------
jnazario
hdmoore re-disclosed this back on mar 2 2010. nothing new here. more about
this:

[https://labs.ripe.net/Members/mirjam/ntp-
reflections](https://labs.ripe.net/Members/mirjam/ntp-reflections)

templates from the team cymru guys to secure your ntp installations, which
have also been around a while.

[http://www.team-cymru.org/ReadingRoom/Templates/secure-
ntp-t...](http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-
template.html)

~~~
sp332
The attack is ongoing
[https://news.ycombinator.com/item?id=7216492](https://news.ycombinator.com/item?id=7216492)
It should be "nothing new" but too many people are still running vulnerable
servers.

~~~
baldfat
Hacking is always based off of exploiting other people's laziness. Well at
least 95%.

------
xorrbit
If you're concerned your NTP servers may have the monlist command enabled and
therefore be available for attackers to use to mount these reflection attacks
there is a Nessus plugin to check for this:
[http://www.tenable.com/plugins/index.php?view=single&id=7178...](http://www.tenable.com/plugins/index.php?view=single&id=71783)

~~~
Joona
Is there an website where I could just paste the server IP?

~~~
hhw
Try [http://openntpproject.org/](http://openntpproject.org/)

------
ck2
So can a server just close or move NTP ports to survive this and block default
ports via firewall?

~~~
FiloSottile
No, what this is exposing is a threat like the DNS DDoS amplification. He
sends NTP servers small packets, spoofing the sender address (UDP), and the
server sends big response to the target (the spoofed sender address).

This allows to send a much bigger DDoS from a less powerful uplink.

The target can't just firewall a port, as it does not rely on NTP being
running on the target, but on some other unprotected machines.

~~~
eli
On the plus side, I would imagine there are relatively limited number of NTP
servers (at least compared to DNS when DDoS amplification attacks first caught
on)

~~~
devicenull
You would wrong. Dedicated NTP servers yes, but there are things like routers,
IPMI controllers, and firewalls that run the NTPD server. Even a bunch of
linux distributions were shipping vulnerable daemons until a few weeks ago.

Anyone that's done '<package manager> install ntp' has the potential to be
vulnerable, depending on configuration.

------
jlgaddis

      $ nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target>
    

\-- [http://nmap.org/nsedoc/scripts/ntp-
monlist.html](http://nmap.org/nsedoc/scripts/ntp-monlist.html)

------
legulere
Has someone tried getting all vulnerable NTP servers with zmap and shutting
them down?

~~~
jldugger
Yes, I've been getting a steady trickle of email from this site:
[http://openntpproject.org/](http://openntpproject.org/)

------
Fuxy
That's a dangerous tool to be releasing this early but hey if you can why not
:)

~~~
jgrahamc
I disagree.

Although some people might take this tool and a list of NTP servers and use it
to generate a DDoS against a site or service, it's worth seeing just how
simple these attacks are by examining this tool.

They are trivial to perform and the solution, BCP38, needs to be rolled out.

[http://blog.cloudflare.com/understanding-and-mitigating-
ntp-...](http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-
ddos-attacks)

~~~
vpnguy
If its so trivial why stress about me releasing it? I figured out how to write
the attack from rfcs, wireshark and reports about attacks in early January.
Also you can only launch an attack from somewhere that doesn't drop invalid
udp packets (windows machines post XPSP2 and many consumer level ISPs) so it
has skid protection naturally. To attack with this effectively someone could
spawn a AWS instances id imagine.

Imagine my surprise as I was enjoying my cereal this morning and saw this on
HN.

~~~
devicenull
I'm unsure what you're hoping to accomplish by releasing this?

Also, you (or whoever 'DaRkReD' is, referenced in the script comments),
released this on 01-22-2014 to hackforums.com. Personally, I find arming the
script kiddies to be inexcusable behavior.

From the hackforums post:

> NTP has a feature called monlist which lists recent clients. Asking for the
> monlist takes about 90 bytes, the monlist is about 1640 bytes and since NTP
> is UDP we can spoof the IP origin and those 1640 bytes will go to your
> target of choice. As a result we have an 18x amplification attack so for
> every 1 byte you get sent you get 18 bytes sent to the target your home
> internet can now DOS 18x faster!

------
yoha
Here are the important lines from ntpdos.py:

> #Magic Packet aka NTP v2 Monlist Packet

> data=str("\x17\x00\x03\x2a") + str("\x00")*4

> packet =
> IP(dst=ntpserver,src=target)/UDP(sport=48947,dport=123)/Raw(load=data)
> #BUILD IT

------
voilet
59.151.34.14

------
vpnguy
Suggested reading: [http://blog.cloudflare.com/understanding-and-mitigating-
ntp-...](http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-
ddos-attacks)

