Abusing Network Time Protocol (NTP) to perform massive Reflection DDoS attack
In 2013, we have seen a significant increase in the use of a specific distributed denial of service (DDoS) methodology known as Distributed Reflection Denial of Service attacks (DrDoS). Open and misconfigured DNS (Domain Name System) can be used by anyone to resolve domain names to IP addresses are increasingly abused to launch powerful DDoS attacks.
But not only the DNS servers, Security Researchers at Symantec have spotted Network Time Protocol (NTP) reflection DDoS attacks being launched by cyber criminals during the Christmas Holidays.

'Network Time Protocol (NTP)' is a distributed network clock time synchronization protocol that is used to synchronize computer clock times in a network of computers and runs over port 123 UDP.
NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don't worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.
Same as DNS Reflection attack, the attacker sends a small spoofed 8-byte UDP packets are sent to the vulnerable NTP Server that requests a large amount of data (megabytes worth of traffic) be sent to the DDoS's target IP Address. CVE assigned to the NTP vulnerability is CVE-2013-5211.
In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool.
On December 16, there were almost 15000 IP addresses involved in the NTP DDoS attack. These servers can be thought of as passive botnet members since the attacker can passively gather large lists of them.

If you manage a public NTP server, can fix the issue by updating it to NTP 4.2.7, for which the support of 'monlist' query has been removed in favor of new safe 'mrunlist' function which uses a nonce value ensuring that received IP address match the actual requester.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.