# NTP DoS Attack?



## tuaris (Feb 10, 2014)

Today I noticed a high amount of outbound bandwidth and after a few hours of trying to track it down, it looks like it was being caused by my NTP server on my FreeBSD box.  A tcpdump revealed the following:


```
18:51:51.708284 IP (tos 0x0, ttl 64, id 5179, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 27 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 9.866180, Reference-ID: 0.3.94.202
          Reference Timestamp:  0.000000001
          Originator Timestamp: 3425369346.752563534 (2008/07/18 07:29:06)
          Receive Timestamp:    1.720032155 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +869597950.967468619
            Originator - Transmit Timestamp: +869597949.247436463
18:51:51.708318 IP (tos 0x0, ttl 64, id 5180, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 28 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.000000, Reference-ID: 0.11.217.223
          Reference Timestamp:  0.000000000
          Originator Timestamp: 1191617992.752563534 (1937/10/05 15:59:52)
          Receive Timestamp:    1.699234426 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  -1191617991.053329106
            Originator - Transmit Timestamp: -1191617992.752563536
18:51:51.708352 IP (tos 0x0, ttl 64, id 5181, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 29 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.000030, Reference-ID: 0.27.148.169
          Reference Timestamp:  0.000000000
          Originator Timestamp: 3232235522.752563534 (2002/06/04 23:12:02)
          Receive Timestamp:    1.001877010 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +1062731774.249313473
            Originator - Transmit Timestamp: +1062731773.247436463
18:51:51.708385 IP (tos 0x0, ttl 64, id 5182, offset 0, flags [none], proto UDP (17), length 468)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 440
        Reserved, Leap indicator: clock unsynchronized (192), Stratum 30 (reserved), poll 3s, precision 42
        Root Delay: 6.001098, Root dispersion: 0.094879, Reference-ID: 0.35.104.97
          Reference Timestamp:  0.000002965
          Originator Timestamp: 3325715693.752563534 (2005/05/21 21:54:53)
          Receive Timestamp:    1.001877070 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +969251603.249313533
            Originator - Transmit Timestamp: +969251602.247436463
18:51:51.708419 IP (tos 0x0, ttl 64, id 5183, offset 0, flags [none], proto UDP (17), length 396)
    192.168.0.248.123 > 178.217.184.17.9987: NTPv2, length 368
        Reserved, Leap indicator: -1s (128), Stratum 31 (reserved), poll 3s, precision 42
        Root Delay: 5.001098, Root dispersion: 1.317703, Reference-ID: 0.99.52.36
          Reference Timestamp:  0.000000001
          Originator Timestamp: 1165526542.752563534 (1936/12/07 16:22:22)
          Receive Timestamp:    1.860595882 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  -1165526540.891967654
            Originator - Transmit Timestamp: -1165526542.752563536
```

I turned off the ntpd server and the traffic stopped.  I had port 123 UDP forwarded on the firewall. I had set that up years ago and I don't believe I need it?  I have now turned that off.

Is it possible to do a DoS attack using NTP?  That would be new to me.


----------



## tuaris (Feb 10, 2014)

Even with the port forward turned off I am still seeing a lot of NTP traffic:


```
19:02:10.149657 IP (tos 0x0, ttl 64, id 13019, offset 0, flags [none], proto UDP (17), length 324)
    192.168.0.248.123 > 108.251.139.46.80: NTPv2, length 296
        Reserved, Leap indicator: -1s (128), Stratum 1 (primary reference), poll 3s, precision 42
        Root Delay: 4.001098, Root dispersion: 0.000030, Reference-ID: ^@^@^@^M
          Reference Timestamp:  0.000000002
          Originator Timestamp: 3638870068.752563534 (2015/04/24 09:14:28)
          Receive Timestamp:    1.001877070 (2036/02/07 01:28:17)
          Transmit Timestamp:   0.000000000
            Originator - Receive Timestamp:  +656097228.249313533
            Originator - Transmit Timestamp: +656097227.247436463
```


----------



## worldi (Feb 10, 2014)

tuaris said:
			
		

> I turned off the ntpd server



Excellent idea! Have you googled "ntp ddos" recently?


----------



## scottro (Feb 10, 2014)

One quick fix is to install openntpd and change your /etc/rc.conf entry from ntpd_enable to openntpd_enable. 

Older versions of ntpd have a monlist command that is being used for many of these attacks


----------



## nanotek (Feb 10, 2014)

tuaris said:
			
		

> Today I noticed a high amount of outbound bandwidth and after a few hours of trying to track it down, it looks like it was being caused by my NTP server on my FreeBSD box.  A tcpdump revealed the following:
> 
> 
> ```
> ...



It's actually been popular lately. `freebsd-update` should patch it (if you're running a supported version). Alternatively, see how to patch it here: http://bsdbox.co/2014/01/18/ntp-drdos-a ... on-attack/


----------



## Kitche (Feb 10, 2014)

Yup. It's an NTP reflection attack. Make sure you're up to date.


----------



## fonz (Feb 10, 2014)

My ISP blocked my home connection yesterday because of the same thing. Please read this security advisory. It contains a number of solutions.

Tip of the day: to test whether you're still vulnerable, try `ntpdc -n -c monlist $IP` and `ntpq -c rv $IP` from another machine (substitute the (external) IP address of your server for $IP). If these give other output than an error message, you're still vulnerable.


----------



## wblock@ (Feb 10, 2014)

There was a security advisory about this nearly a month ago.  If you have not subscribed to the freebsd-security-notifications mailing list, now would be a good time.


----------



## fonz (Feb 10, 2014)

wblock@ said:
			
		

> If you have not subscribed to the freebsd-security-notifications mailing list, now would be a good time.


Especially since the SAs no longer automagically _[sic]_ appear on this forum


----------



## manas (Feb 18, 2014)

I was informed by my host at transip.eu that my VPS running FreeBSD 9.1-RELEASE was participating in a NTP DOS attack. I had enabled ntpd from the installation menu that asks which services I would like to enable, mistaking it for ntpdate. So the NTP daemon was listening on the default port with all the default settings as I had never looked at the configuration file and someone must have found out that it supported the monlist command. This person then spoofed traffic and used my bandwidth to attack someone else, which is not nice at all.

I have since disabled ntpd as I have no need for it and enabled ntpdate instead, which was what I originally required. (I have also run freebsd-update on the VPS, bringing it up to date.)


----------



## tingo (Feb 20, 2014)

fonz said:
			
		

> If these give other output than an error message, you're still vulnerable.


And if one or both error messages are a timeout, you might still be vulnerable. If you suspect that your ntpd is under attack, it is easy to find out: `# service stop ntpd` on the suspect machine, and the Internet traffic should drop in a way that you will notice. The load average might also drop, depending on what else is running on your machine. (Yes - I found out this "the hard way". Luckily I found out before my ISP or someone else noticed.)


----------



## Lateralus (Feb 21, 2014)

*ntpdc*

_[Merged into existing thread. -- mod.]_

Hello world!

This is my first thread. *I* am a newbie at Freebsd FreeBSD. Recently *I* have been DDoSed by NTP reflection attacks and *I* upgraded my NTP to 4.2.7. Vulnerable commands such as monlist have been removed. But *I* still get attacks. I also noticed that the `ntpdc monlist` command still works and *I* was wondering how *I* can remove ntpdc. *I* don't know which is the port file of ntpdc. Also the `ntpdc --version` command shows me 4.2.4. Here is a one-line example from the DDoS report that my hosting company gave me.

```
2014.02.16 20:46:58 UDP: **.***.**.**:123 -> *.***.***.***:**** flags: 0x10 size: 486
```


----------



## fonz (Feb 21, 2014)

*Re: ntpdc*

There have been issues recently with (the base system's) NTP. This thread discusses that as well. Exactly which version of FreeBSD are you running?


----------



## Lateralus (Feb 22, 2014)

*Re: ntpdc*

Hi @fonz thanks for your response and your corrections, sorry for posting at a wrong forum please move it to the right forum. I am running on FreeBSD 10.0. I have tried removing ntpd but still ntpdc commands work. nptdc is located in /usr/sbin/. Do you have any idea what I can do to remove it? I am having serious problems because my server gets null routed by my hoster for many hours each time this attack happens.


----------



## kpa (Feb 22, 2014)

*Re: ntpdc*

Do you need to expose the ntpd(8) service to the Internet? If you aren't exposing it to the Internet then I don't understand what removing the ntpd binary would help. Also you have to understand that the ntpdc tool is for detecting the vulnerability (in other words it's a diagnostic tool), removing it won't help anything. 

Did you actually stop and disable the ntpd service before you tried anything else?


----------



## SirDice (Feb 22, 2014)

*Re: ntpdc*

The NTP issue was fixed before 10.0-RELEASE came out. Yours shouldn't be vulnerable.

http://www.freebsd.org/security/advisor ... 2.ntpd.asc


----------



## kpa (Feb 22, 2014)

*Re: ntpdc*

So the OP is actually the DDoS victim and not a participant? If he gets "nullrouted" (whatever that means?) by his ISP for being a victim it's an unbelievably stupid action by them.


----------



## SirDice (Feb 22, 2014)

*Re: ntpdc*



			
				kpa said:
			
		

> So the OP is actually the DDoS victim and not a participant?


That's very much a possibility.



> If he gets "nullrouted" (whatever that means?)


Blackhole filtering is a more common term I believe. It simply means his packets are sent to the bit-bucket, effectively cutting him off. 

http://en.wikipedia.org/wiki/Null_route



> by his ISP for being a victim it's an unbelievably stupid action by them.


Most ISP helpdesk employees do not have a very good understanding of TCP/IP.


----------



## Lateralus (Feb 23, 2014)

*Re: ntpdc*

So by having FreeBSD 10.0-RELEASE am I supposed to be secure from all the known vulnerabilities? Or do I have to upgrade my packages too? Also I have found another command that works `ntpq monlist` is this supposed to be a diagnostic tool too?


----------



## fonz (Feb 23, 2014)

*Re: ntpdc*



			
				Lateralus said:
			
		

> So by having FreeBSD 10.0-RELEASE am I supposed to be secure from all the known vulnerabilities?


You could always do a `freebsd-update fetch`. If the list of files that will be changed includes anything ntp-related, you'll probably want to follow up with `freebsd-update install` (or upgrade from source, if you like).



			
				Lateralus said:
			
		

> Or do I have to upgrade my packages too?


Since ntpd is in the base system, packages have nothing to do with it.



			
				Lateralus said:
			
		

> Also I have found another command that works `ntpq monlist` is this supposed to be a diagnostic tool too?


ntpq(8) is indeed sort of a diagnostic/monitoring tool. Whether its output is ok or indicative of a problem depends on the exact command you issued.


----------



## wblock@ (Feb 23, 2014)

*Re: ntpdc*

The latest version of /etc/ntp.conf disables the insecure commands: http://svnweb.freebsd.org/base/head/etc/ntp.conf?revision=259973&view=markup.


----------

