Internet Accessible NTP Monitor - ('monlist')
Description
The Network Time Protocol (NTP) is a protocol, used to synchronise the system time of a computer in a network.
NTP listens on port 123/UDP.
Problem
An Internet Accessible NTP Server, that responds to a ntpdc query, which includes the control message command 'monlist', can be abused for a Distributed Denial-of-Service (DDoS) Reflection/Amplification attack against a third party.
A DDoS Reflection/Amplification attack, based upon the exploitation of a ntpdc query, which includes the control message command 'monlist', has a Bandwidth Amplification Factor (BAF) of 556.9:1.
Background Information - Network Time Protocol
The NTP source distribution contains a background program (daemon or service) which synchronises the computer's system time to one or more external reference time sources which can be either other devices on the network, or a radio clock that is connected to the computer.
ntpdc
ntpdc is a special NTP query program, used to query the NTP daemon (ntpd) about its current state and to request changes in that state. The program can be run in interactive mode or controlled, using command line arguments. Information of the state and statistics of a NTP daemon (ntpd) are available through the ntpdc interface.
Control Message Commands
Control Message Commands are query commands, included as command line arguments in a ntpdc query, to request information from a NTP daemon (ntpd). They are read-only commands that make no modification to the configuration state of the NTP daemon (ntpd).
'monlist'
'monlist' is a control message command, included as a command line argument in a ntpdc query, to request and print the traffic counts collected and maintained by the monitoring facility of a NTP daemon (ntpd). The monitoring facility of a NTP daemon (ntpd) collects and maintains data of the Most Recently Used (MRU) hosts or clients that have communicated with the NTP daemon (ntpd). 'monlist' can display a maximum list of 600 entries.
NTP Mode 7 packets (ntpdc)
ntpdc uses NTP mode 7 packets to communicate with, and query a NTP daemon (ntpd), that permit it. Mode 7 packets are UDP packets, transmitted and received over port 123/UDP. These packets use the same structure (header, plus extension, plus optional MAC) as time synchronization messages, however the layout and semantics of the header fields are different. They are distinguished from time synchronisation packets by the Mode field, of the first octet of the NTP header, which has a value 7 (111).
NTP version 4.2.7p26
A NTP daemon (ntpd) configured with a software version prior to 4.2.7p26 will respond to a NTP Mode 7 ntpdc 'monlist' request. In version 4.2.7p26 and all subsequent versions, Mode 7 ntpdc queries have been disabled by default and the functionality of 'monlist' has been replaced by the control message command 'murlist' which uses Mode 6 UDP packets and a handshake procedure has been implemented to prevent it from being abused for DDoS Reflection/Amplification attack against a third party.
Verification
To establish if a host has an Internet accessible service, simple utility programs or tools included with the standard Linux/Ubuntu distribution can be utilised. The test should not be run on the host itself or from the local network, instead it should be run from a different node on the Internet.
To discover the version of NTP software of an Internet accessible NTP Monitor service, the 'Nmap' open source network scanner utility program can be utilised.
Nmap is used to discover hosts and services on a computer network by sending packets and analysing the responses.
Insert the IP address of the host you wish to check for an Internet Accessible NTP Monitor service when invoking the 'Nmap' open source network scanner utility program together with the options included in the following example.
$ sudo nmap -sU -p 123 -Pn --script ntp-info xxx.xxx.xxx.xxx
An Internet Accessible NTP Monitor service listening on port 123/UDP and configured with a ntpd software version prior to 4.2.7p26 will return information similar to that shown below:
$ sudo nmap -sU -p 123 -Pn --script ntp-info xxx.xxx.xxx.xxx
Starting Nmap 7.80 ( https://nmap.org ) at 2021-11-12 12:02 GMT
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.00015s latency).
PORT STATE SERVICE
123/udp open ntp
| ntp-info:
| receive time stamp: 2021-11-12T12:02:21
| version: ntpd 4.2.0-a Sat Sep 8 05:35:16 UTC 2018 (1)
| processor: powerpc
| system: JUNOS14.1X53-D47.6
| leap: 0
| stratum: 6
| precision: -18
| rootdelay: 23.778
| rootdispersion: 64.680
| peer: 47156
| refid: xxx.xxx.xxx.xxx
| reftime: 0xe653d4d2.a57b0e1d
| poll: 10
| clock: 0xe538d64d.22f9f705
| state: 4
| offset: -1.407
| frequency: -0.671
| jitter: 1.600
|_ stability: 0.086\x0D
Service Info: OS: JUNOS14.1X53-D47.6
Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds
Options
sudo:root privileges is required for scan type.
-sU:UDP Scan.
-p 123:scan specified port - 123.
-Pn:No Ping.
--script:Run a nmap script scan.
ntp-info:nmap script that obtains time and configuration variables from an NTP server.
To request and print the traffic count collected and maintained by the NTP monitoring facility of the Internet Accessible NTP Monitor service, configured with a ntpd software version prior to 4.2.7p26, a ntpdc query, that includes the control message command 'monlist', as a command line argument, is used
The data printed will be similar to that shown below.
$ sudo ntpdc -n -c monlist xxx.xxx.xxx.xxx
remote address port local address count m ver rstr avgint lstint
===============================================================================
17.253.108.125 123 10.0.0.140 1 3 4 0 0 0
17.253.108.253 5056 10.0.0.140 168 4 4 0 585 871
44.155.254.17 42406 10.0.0.140 1 3 4 0 1704 1704
93.180.5.26 44329 10.0.0.140 1 3 4 0 3198 3198
119.84.40.54 35633 10.0.0.140 1 3 4 0 5367 5367
140.203.204.77 54444 10.0.0.140 1 3 4 0 17975 17975
145.238.203.14 39506 10.0.0.140 3 7 2 0 18039 18039
162.213.25.66 48658 10.0.0.140 1 7 2 0 24272 24272
176.31.159.65 34026 10.0.0.140 9 7 2 0 42280 42280
192.168.100.15 55462 10.0.0.140 3 7 2 0 53963 53963
193.1.185.37 37872 10.0.0.140 1 7 2 0 56020 25628
194.80.204.184 59515 10.0.0.140 2 6 2 0 58106 60331
212.82.106.33 35366 10.0.0.140 3 6 2 0 71706 71706
Special NTP query program
ntpdc:Special NTP query program.
Options
sudo:Elevated privileges are required.
-n:Output all host addresses in dotted-quad numeric format rather that converting to the canonical host names.
-c:The following argument is interpreted as an interactive format command and is added to the list of commands to be executed on the specified host.
Control Message Command
monlist:Obtain and print traffic counts collected and maintained by the NTP monitoring facility.
Solution
Upgrade the NTP daemon (ntpd) software to version 4.2.7p26 or later.
If it is not possible to upgrade the NTP daemon (ntpd) software to the latest version, Change the configuration of the NTP daemon (ntpd) to prevent queries from the NTP query program ntpdc.
Access Control Commands can be inserted into the NTP daemon configuration file, /etc/ntp.conf to prevent queries from the NTP query programs ntpdc and ntpq
Insert the following Access Control Commands into the file /etc/ntp.conf
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
Access Control Commands
restrict:Restrict or control access to the NTP service.
-4:Force DNS resolution of following host name on command line to IPv4 namespace.
-6:Force DNS resolution of following host name on command line to IPv6 namespace.
default:Text string, with no mask option, is used to indicate the default entry. (address 0.0.0.0, mask 0.0.0.0)
kod:Kiss-o-death packet sent to reduce unwanted queries.
notrap:Deny ntpdc control message protocol traps.
nomodify:Deny ntpdc and ntpq queries which attempt to modify the state of the NTP (ntpd) server.
nopeer:Deny unauthenticated packets which would result in mobilizing a new association.
noquery:Deny ntpdc and ntpq queries. Time service is not affected.
Restart the NTP service for the access control commands inserted into /etc/ntp.conf to take effect.
/etc/init.d/ntp restart
Alternatively
Disable NTP monitoring.
Insert the Miscellaneous option disable monitor into the file /etc/ntp.conf
disable monitor
Miscellaneous Options
disable:Disable a NTP server option.
monitor:monitoring facility.
Restart the NTP service for the Miscellaneous options inserted into /etc/ntp.conf to take effect.
/etc/init.d/ntp restart
Supplementary Information
Ingress & Egress Filtering
Filter | Description |
---|---|
Ingress Filtering | Ingress filtering is a simple and effective method to limit the impact of DoS attacks, by denying traffic with a forged IP source address (IP spoofing) access to the network, and to help ensure that traffic is traceable to its correct network. |
Egress Filtering | Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on networks of other organisations, by preventing traffic with a forged source (spoofed) IP address from leaving the network. Port used for remote syslog capture |
The implementation of best practice in relation to Ingress filtering limits the impact of a Denial
of Service (DoS) attack on one's own network while the implementation of best practice in relation to
Egress filtering limits the impact of a compromised network in a Denial of Service (DoS) attack on
networks of other organisations. Additional information on Ingress & Egress Filtering can
be found at the following link -
Ingress & Engress Filtering
UDP Based Denial-of-Service (DoS) Attack
The User Datagram Protocol (UDP), a generic carrier for several higher-level protocols, has a
number of properties that makes it susceptible to exploitation for DoS attacks against third parties.
Additional information on the components and techniques deployed in an UDP based DoS attack can be found
at the following link -
UDP Based Denial-of-Service (DoS) Attack
Additional Information
RFC1305 - NTP Version 3: Specification, Implementation and AnalysisRFC5905 - NTP Version 4: Protocol and Algorithms Specification
Shadowserver - Open NTP Monitor (Mode 7) Scanning Project
IETF - Network Time Protocol Best Current Practices
ntpdc - special NTP query program
FreeBSD Manual Pages - ntp.conf
NTPD Access Restrictions
Meinberg Security Advisory:NTP Monlist Network Traffic Amplification Attacks
Carnegie Mellon University - NTP can be abused to amplify DoS attack traffic
Understanding and mitigating NTP-based DDoS attacks
How to detect NTP Amplification DoS Attacks
Preventing NTP Reflection Attacks
NTP reflection DDoS attacks
Nmap.org - File ntp-monlist
CVE-2013-5211
Professor David L. Mills - University of Delaware - Site Map
Network Time Protocol (NTP)