Cisco Event Response: Network Time Protocol Amplification Distributed Denial of Service Attacks
Threat Summary: February 25, 2014
This information has been produced in reference to the recent Network Time Protocol (NTP) amplification distributed denial of service (DDoS) attacks that have been observed on the Internet. Based on certain examples of customer packet captures Cisco has observed, current inbound amplification flows are showing the following characteristics:
UDP source port 123
UDP destination port 80
Packet size of 482 bytes
Keep in mind that the preceding characteristics were seen on a limited number of customer networks. It is expected that variations on the UDP source port, UDP destination port, and total packet size will be seen.
The following Cisco content is associated with this Event Response Page:
The vulnerability comes from a shortcoming in RFC 5905 that allows processing of optional Mode 6 and 7 command requests by NTP servers.
In summary, the attack is based on processing NTP Mode 7 requests from NTP clients that may elicit huge responses. While the requests are small (for example, in case of Mode 7, the request is only 8 bytes long), the response can grow up to 5,500 times that size due to amplification.
Cisco Security Intelligence Operations Analysis
The attack is based on a very simple premise:
NTP servers that respond to MONLIST Mode 7 command requests will generate responses that are 5,500 times bigger in size than the requests. Paired with the ability to spoof network addresses globally, this attack allows the attacker to send a huge number of those requests toward a number of known public NTP servers and solicit a huge response toward the spoofed address of the (source) victim.
There are three key points regarding this vulnerability:
The server that is "open" for NTP Mode 7 requests can receive a huge number of requests and be forced to generate responses that are up to 5,500 times larger than original requests.
The vulnerable NTP servers are used as UDP reflectors in attacks against targeted destinations that may or may not have NTP servers or NTP clients on their networks. Regardless, these targets receive a flood of unsolicited return UDP traffic directed toward them at the destination port of the attacker's choice.
The network that is being used as a source (victim) in a spoofed barrage of NTP requests to such servers will find itself under a huge flow of unsolicited NTP responses.
Keep in mind that, although the characteristics of this attack use NTP packets, this series of attacks is in no way different from typical reflected DDoS amplification attacks. Networks are being sent a flood of unsolicited packets that can grow significantly in both size and speed.
MITRE/CERT-CC assigned the Common Vulnerabilities and Exposures ID CVE-2013-5211 to the vulnerability that applies to Mode 7 requests. This CERT/CC advisory is posted at http://www.kb.cert.org/vuls/id/348126
Packet scrubbing using Arbor, Prolexic, etc. as far upstream as possible (covered in the DDoS white paper listed in References)
Rate limiting NTP flows as close to the Internet Edge as possible
Working with peering ISP(s) to throttle some of the traffic before it gets to the organization's Internet edge
Filtering out packets based on packet size (that is, greater than 90 bytes for IPv4 and 110 bytes for IPv6) to/from UDP port 123. Allowing packets less than these sizes should still allow time-sync requests and responses to work, but the filtering should prevent the packet sizes used to trigger these amplification attacks (Source: NANOG Mailing List). Note: This filtering should be used solely to mitigate these attacks and should not be implemented permanently.
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.