Join Malcolm Shore for an in-depth discussion in this video Using NTP to amplify attacks, part of Ethical Hacking: Denial of Service.
- [Voiceover] A reflection attack takes place when we send a packet to a server, and have reply not to us, but to the target. We can achieve this easily by spoofing the source address in the packet. An amplification attack takes place when we send a packet to a server and get a significantly larger packet sent back to the target in reply. Both reflection and amplification attacks typically involve sending packets to many thousands of servers in a distributed denial of service of service attack. Let's have a look at the basics of an NTP attack.
I'll start by looking at the Ubuntu server which I have on the virtual network running the NTP service. I can check what services are running in Ubuntu by entering the command, service, minus, minus, status, all, more. We can see that the NTP server is shown with a plus. It's running. Okay, let's see how it's configured. This shows me that the service is running, and is connected to four authoritative time servers.
Okay, we have a service here. Before I go, I'll open the server configuration, which is in slash, et cetera, slash NTP dot com. I'll just go down a ways, and we can see the restrictions on access. Many NTP servers, such as this one, have included restrictions to ensure, amongst other things, that they can't be used for reflection attacks. Because I'm going to demonstrate the attack across two networks, I'll comment out the restrictions, and restart the server.
Okay, just before we go, I'll check the IP address. And we can see that it's ten dot naught, dot two, dot nine. Back in Carly, I'll open a terminal window, and I'll ping the NTP server to make sure I can see it. Okay, we're able to see the server. We can use Nmap to check the services there.
We can see that the UDP port, one two, three is open, running NTP. And because the time server is running on my local network, I can also see the Mac address of the server. I'll next send a standard request for the time to the server by using one of Nmap's scripts. This provides a response with the time stamp. The request used in the amplification attack is called the mon-list, which sends back the list of servers that the NTP service has used, and this can be substantially bigger.
I'll set up Wireshark from the sniffing menu, and put in a filter for capturing everything to and from the NTP server. I'll now send the NTP mon-list command. Okay, we've got the response back, and I'll stop the packet capture now. We can see that the request went across as a 44-byte header, and a 48-byte NTP packet.
And the response is a 44-byte header, and a 440-byte NTP packet, close to 10 times the amplification. In the wild, mon-list can deliver up to 50 times the ampLification. The last thing to do is spoof the source address. VPN guy has a git hub repository, which demonstrates this using Python. And I've created a short version of this, to demonstrate. Let's look at the code. I'll go to my NTP DOS directory and I'll open up an editor to look at the NTP DOS code.
At the top, we see the libraries to include, followed by the main function, deny, which constructs and sends the NTP packet. This is a multi-threaded script, so the first thing we need to do is establish some global variables. Then we pick the next NTP server to use from the list, and increment the server index. Then, we construct the packet IP header, which has the target specified as the source address, the UDP header which has port one, two , three for the NTP server, and the NTP payload. Then we send the packet, and we'll continue in a loop, until we terminate it.
The next few lines at the start of the program and copy in the command line arguments. For clarity, I've left out the original error-checking code. Note we construct the NTP data payload as an eight-byte packet starting with hexadecimal 17. The final piece of code is the main loop which spawns the threads for each NTP server in the list. As you can see, the NTP DOS program is very simple, and uses basic networking scripted commands. Its power comes from having access a large number of unrestricted NTP servers, and the amplification effect of the mon-list command.
Okay, let's see it in action. I set up a file with my one NTP server in it. Okay, now I'll run the Python script. I've set Wireshark up on the Windows 10 server, and filtered it to only display the packets that are coming to UDP port 48947. Let's start it. We can see the NTP response packets arriving at the target Windows server.
These are coming in slowly, and with modest amplification. But with a large enough list of NTP servers, this can be very effective. As it was in the global NTP attack that took place in February, 2014 which used around 4,000 servers.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. This course maps to the 09 Denial of Service domain.
- What is denial of service?
- SYN flooding
- Smurf and URL flooding
- Deauthenticating a wireless host
- Flooding HTTP
- Using BlackEnergy
- Flooding SIP
- Detecting DoS with PeerShark
- Defeating DoS attacks