DNS AND NTP Based Amplification Attacks

DNS AND NTP
Based
Amplification
Attacks
Nikhil.P.Kulkarni, Advait Joshi, Harsh Daftary, Suriya Prakash,
Sabari Selvan, Yashin Mehaboobe.
©2014 Cyber Security and Privacy Foundation
DNS-Reflection Attack :
DNS reflection is a method used to perform Distributed Denial Of Service or commonly
called as DDOS attack. The method had been used by attacker to take down critical
network infrastructure and resource by using DNS server as a resource.
DNS server responds back to the query by sending a response sufficiently larger than
the query thus eventually causing DDOS. The system is based upon UDP and thus it does
not follow the handshake like TCP. Attacker with spoofed IP address in the DNS request
is capable of performing such attack by taking advantage of open DNS or
misconfigured DNS.
Fig: “dig” command used to query the information about cysecurity.org using ALL option.
These attacks are usually categorized into three types:



Repeating Query attack.
Varying Query Attack.
Distributed Attack.
But this attack can be made even more powerful by Amplification.
For an attacker to get this Amplification Attack working, it takes advantage of some of
the features of DNS Protocols:


The DNS response is generally larger than a DNS Query made, using this attacker
tries to achieve this attack by spoofing a small query, which in turn generates a
large response.
The second being that the DNS Queries use UDP Transport, which makes it easier
for an attacker to spoof the source address.
©2014 Cyber Security and Privacy Foundation
The attacker identifies the set of resolvers that can be used as reflectors. Then from the
compromised machines across the globe the attacker makes DNS Queries which is sent
to the reflecting resolvers, with the spoofed source IP Address of the Victim. And then
the reflecting servers process the queries and send the responses to the targeted IP
Address. A botnet’s many amplified requests allows the attacker to initiate a large
attack with small amount of outgoing bandwidth usage.
At the victim’s side it is a bombarding of humongous amount of unrequested DNS
responses from nameservers. And henceforth making it highly impossible to trace the
attacker as the packets sent to the victim are not at all from the attacker’s machine
directly and even more difficult to block the responses individually.
There are some tools available on the internet that would perform such type of attacks.
Although the number of misconfigured DNS servers are low because of the mitigation
techniques and patches.
One of the tool that is simple implementation of such attack was written by
MARK OSBORNE.
General Info:
 Tool is written in C language and uses built in network libs.
 Attacker needs to provide the basic information such as
 SPOOFED_IP, TARGET DNS, RESOLVER QUERY
 Uses raw sockets and implements UDP and DNS header structures.
Working:
 After accepting the input parameters, it queries the DNS server with spoofed IP
address provided by the attacker.
 It then outputs the information such as input parameters, query length, overall
DNS length etc.
Source:
http://packetstormsecurity.com/files/122600/DNS-Reflection-Amplification-AttackTool.html
©2014 Cyber Security and Privacy Foundation
Fig: Use of TOR to connect to botnet or other owned victims to perform amplification.
Mitigations:
1. Firewall: Is capable of dropping the packets from the unknown or unwanted IP
address. Desired configuration can reduce this attack upto some extent as IP address
might change after some duration of time.
2. BCP38: The concept of amplification is related to spoofed IP address, BCP38 is the
mechanism used to verify the IP address. ISP’s are responsible for implementing this
mechanism.
3. Third party services: Premium services such as CloudFlare protects from such type of
DDOS and helps to conceal the original IP address of the host.
4. Configuring DNS: Configure to identify the stealth DNS requests as well as no recursion
to non-local IP address. Making sure the DNS server is not open DNS server.
©2014 Cyber Security and Privacy Foundation
NTP Based Amplification
Attacks.
It is quite well known that the Internet Hosts across the globe use the Network Time
Protocol to synchronize their clocks. Its ubiquitous use across the globe range from
systems of various types and sizes. This is because of its accuracy and reliable for
services such as authentication services, servers and phones as well. NTP is commonly
used to sync times for systems over the Internet and local networks. If you've ever set
the time on your PC or network router with an internet timer server, then you have used
NTP. With NTP being used so widely it is necessary and important for the NTP
infrastructure to be secure and moreover trustworthy.
NTP generally runs on “UDP port 123”. As NTP is one of the protocols that is generally
forgotten once it is configured by the administrators, and henceforth it is a Protocol that
is not often updated on a regular basis, and this in turn leads to various NTP based
Attacks.
NTP Based Attacks have become quite common in the recent days with most of the
Gaming and Online Services being targeted. As just like DNS, NTP is an UDP based
protocol that can be used to return a large reply for a small request. In a reflection
attack, generally an attacker spoofs his IP to the victim’s IP Address, and then sends a
request to some vulnerable servers on the Internet, and when these servers reply, the
reply will be sent to the victim’s IP that was forged. If the attacker makes requests to
multiple vulnerable servers and they reply back to the victim at the same time hence
the victim will face humongous amount of traffic.
An NTP Reflection Attack becomes even stronger and powerful when it is amplified, this
happens when a small request results in a large reply from the servers. Here the attacker
generates large amount of UDP Packets with spoofing the Source IP, and then these
UDP Packets are sent to NTP Servers on port 123 which support the MONLIST
Command.(MONLIST is generally a remote command in previous versions of BTP that
requests the list of last 600 hosts that had connected to that server). This MONLIST
Command is a very useful recon tool for attackers. And if the NTP Server has its MONLIST
being completely populated, then the response given to a MONLIST request will be 206
times than the actual request. Hence leading to a DDOS Attack on the victim.
©2014 Cyber Security and Privacy Foundation
ShodanHQ Results for NTP:
The below image shows how the Amplification attack works.
©2014 Cyber Security and Privacy Foundation
NSE Script to scan open NTP Servers:
NTPD Monlist Command:
©2014 Cyber Security and Privacy Foundation
NTP Help Menu:
Mitigation:
So, with the kind of UDP based amplification attacks on the rise it is necessary for
enterprises to take the necessary mitigation steps.
All the attacks such as NTP Amplification attacks and other UDP based Amplification
attacks completely depend on spoofing of Source IP Addresses. And if the attacker
cannot spoof the IP Address of the victim, then the attacker can only DDOS himself.
One of the easiest mitigation method includes updating the NTP to version 4.2.7, NTP
version 4.2.7 removes the MONLIST query entirely.
Or another mitigation would be starting the NTP Daemon with NTP Config file having
noquery enabled, this disables access to the MONLIST.
Another mitigation would be to ensure that BCP38 being followed on your network.
BCP38 is “Best Current Practice” published by the IETF which outlines methods useful in
filtering out packets which are injected with a spoofed source address into a network.
Which helps extensively in keeping your network safe and away from DDOS Attacks.
©2014 Cyber Security and Privacy Foundation
Other References:
http://ntp.org/
http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf
http://www.hackcube.com/hacking.php?id=16
https://isc.sans.edu/diary/NTP+reflection+attack/17300
©2014 Cyber Security and Privacy Foundation