DNS AND NTP Based Amplification Attacks Nikhil.P.Kulkarni, Advait Joshi, Harsh Daftary, Suriya Prakash, Sabari Selvan, Yashin Mehaboobe. ©2014 Cyber Security and Privacy Foundation DNS-Reflection Attack : DNS reflection is a method used to perform Distributed Denial Of Service or commonly called as DDOS attack. The method had been used by attacker to take down critical network infrastructure and resource by using DNS server as a resource. DNS server responds back to the query by sending a response sufficiently larger than the query thus eventually causing DDOS. The system is based upon UDP and thus it does not follow the handshake like TCP. Attacker with spoofed IP address in the DNS request is capable of performing such attack by taking advantage of open DNS or misconfigured DNS. Fig: “dig” command used to query the information about cysecurity.org using ALL option. These attacks are usually categorized into three types: Repeating Query attack. Varying Query Attack. Distributed Attack. But this attack can be made even more powerful by Amplification. For an attacker to get this Amplification Attack working, it takes advantage of some of the features of DNS Protocols: The DNS response is generally larger than a DNS Query made, using this attacker tries to achieve this attack by spoofing a small query, which in turn generates a large response. The second being that the DNS Queries use UDP Transport, which makes it easier for an attacker to spoof the source address. ©2014 Cyber Security and Privacy Foundation The attacker identifies the set of resolvers that can be used as reflectors. Then from the compromised machines across the globe the attacker makes DNS Queries which is sent to the reflecting resolvers, with the spoofed source IP Address of the Victim. And then the reflecting servers process the queries and send the responses to the targeted IP Address. A botnet’s many amplified requests allows the attacker to initiate a large attack with small amount of outgoing bandwidth usage. At the victim’s side it is a bombarding of humongous amount of unrequested DNS responses from nameservers. And henceforth making it highly impossible to trace the attacker as the packets sent to the victim are not at all from the attacker’s machine directly and even more difficult to block the responses individually. There are some tools available on the internet that would perform such type of attacks. Although the number of misconfigured DNS servers are low because of the mitigation techniques and patches. One of the tool that is simple implementation of such attack was written by MARK OSBORNE. General Info: Tool is written in C language and uses built in network libs. Attacker needs to provide the basic information such as SPOOFED_IP, TARGET DNS, RESOLVER QUERY Uses raw sockets and implements UDP and DNS header structures. Working: After accepting the input parameters, it queries the DNS server with spoofed IP address provided by the attacker. It then outputs the information such as input parameters, query length, overall DNS length etc. Source: http://packetstormsecurity.com/files/122600/DNS-Reflection-Amplification-AttackTool.html ©2014 Cyber Security and Privacy Foundation Fig: Use of TOR to connect to botnet or other owned victims to perform amplification. Mitigations: 1. Firewall: Is capable of dropping the packets from the unknown or unwanted IP address. Desired configuration can reduce this attack upto some extent as IP address might change after some duration of time. 2. BCP38: The concept of amplification is related to spoofed IP address, BCP38 is the mechanism used to verify the IP address. ISP’s are responsible for implementing this mechanism. 3. Third party services: Premium services such as CloudFlare protects from such type of DDOS and helps to conceal the original IP address of the host. 4. Configuring DNS: Configure to identify the stealth DNS requests as well as no recursion to non-local IP address. Making sure the DNS server is not open DNS server. ©2014 Cyber Security and Privacy Foundation NTP Based Amplification Attacks. It is quite well known that the Internet Hosts across the globe use the Network Time Protocol to synchronize their clocks. Its ubiquitous use across the globe range from systems of various types and sizes. This is because of its accuracy and reliable for services such as authentication services, servers and phones as well. NTP is commonly used to sync times for systems over the Internet and local networks. If you've ever set the time on your PC or network router with an internet timer server, then you have used NTP. With NTP being used so widely it is necessary and important for the NTP infrastructure to be secure and moreover trustworthy. NTP generally runs on “UDP port 123”. As NTP is one of the protocols that is generally forgotten once it is configured by the administrators, and henceforth it is a Protocol that is not often updated on a regular basis, and this in turn leads to various NTP based Attacks. NTP Based Attacks have become quite common in the recent days with most of the Gaming and Online Services being targeted. As just like DNS, NTP is an UDP based protocol that can be used to return a large reply for a small request. In a reflection attack, generally an attacker spoofs his IP to the victim’s IP Address, and then sends a request to some vulnerable servers on the Internet, and when these servers reply, the reply will be sent to the victim’s IP that was forged. If the attacker makes requests to multiple vulnerable servers and they reply back to the victim at the same time hence the victim will face humongous amount of traffic. An NTP Reflection Attack becomes even stronger and powerful when it is amplified, this happens when a small request results in a large reply from the servers. Here the attacker generates large amount of UDP Packets with spoofing the Source IP, and then these UDP Packets are sent to NTP Servers on port 123 which support the MONLIST Command.(MONLIST is generally a remote command in previous versions of BTP that requests the list of last 600 hosts that had connected to that server). This MONLIST Command is a very useful recon tool for attackers. And if the NTP Server has its MONLIST being completely populated, then the response given to a MONLIST request will be 206 times than the actual request. Hence leading to a DDOS Attack on the victim. ©2014 Cyber Security and Privacy Foundation ShodanHQ Results for NTP: The below image shows how the Amplification attack works. ©2014 Cyber Security and Privacy Foundation NSE Script to scan open NTP Servers: NTPD Monlist Command: ©2014 Cyber Security and Privacy Foundation NTP Help Menu: Mitigation: So, with the kind of UDP based amplification attacks on the rise it is necessary for enterprises to take the necessary mitigation steps. All the attacks such as NTP Amplification attacks and other UDP based Amplification attacks completely depend on spoofing of Source IP Addresses. And if the attacker cannot spoof the IP Address of the victim, then the attacker can only DDOS himself. One of the easiest mitigation method includes updating the NTP to version 4.2.7, NTP version 4.2.7 removes the MONLIST query entirely. Or another mitigation would be starting the NTP Daemon with NTP Config file having noquery enabled, this disables access to the MONLIST. Another mitigation would be to ensure that BCP38 being followed on your network. BCP38 is “Best Current Practice” published by the IETF which outlines methods useful in filtering out packets which are injected with a spoofed source address into a network. Which helps extensively in keeping your network safe and away from DDOS Attacks. ©2014 Cyber Security and Privacy Foundation Other References: http://ntp.org/ http://www.nlnetlabs.nl/downloads/publications/report-rrl-dekoning-rozekrans.pdf http://www.hackcube.com/hacking.php?id=16 https://isc.sans.edu/diary/NTP+reflection+attack/17300 ©2014 Cyber Security and Privacy Foundation
© Copyright 2024 ExpyDoc