Cisco Event Response: Network Time Protocol Amplification Distributed Denial of Service Attacks

Threat Summary: February 25, 2014

This information has been produced in reference to the recent Network Time Protocol (NTP) amplification distributed denial of service (DDoS) attacks that have been observed on the Internet. Based on certain examples of customer packet captures Cisco has observed, current inbound amplification flows are showing the following characteristics:

  • UDP source port 123
  • UDP destination port 80
  • Packet size of 482 bytes

Keep in mind that the preceding characteristics were seen on a limited number of customer networks. It is expected that variations on the UDP source port, UDP destination port, and total packet size will be seen.

 

Event Intelligence

The following Cisco content is associated with this Event Response Page:

Cisco Security Notice: Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5211

Cisco IntelliShield Alert: Network Time Foundation ntpd Service Network Traffic Amplification Issue
http://tools.cisco.com/security/center/viewAlert.x?alertId=32384

Cisco Security Blog Posts
http://blogs.cisco.com/security/when-network-clocks-attack/
http://blogs.cisco.com/perspectives/enterprise-security-include-ddos-mitigation-in-your-2014-plans/
http://blogs.cisco.com/security/a-smorgasbord-of-denial-of-service/

Vulnerability Characteristics

The vulnerability comes from a shortcoming in RFC 5905 that allows processing of optional Mode 6 and 7 command requests by NTP servers.

In summary, the attack is based on processing NTP Mode 7 requests from NTP clients that may elicit huge responses. While the requests are small (for example, in case of Mode 7, the request is only 8 bytes long), the response can grow up to 5,500 times that size due to amplification.

Cisco Security Intelligence Operations Analysis

The attack is based on a very simple premise:

NTP servers that respond to MONLIST Mode 7 command requests will generate responses that are 5,500 times bigger in size than the requests. Paired with the ability to spoof network addresses globally, this attack allows the attacker to send a huge number of those requests toward a number of known public NTP servers and solicit a huge response toward the spoofed address of the (source) victim.

There are three key points regarding this vulnerability:

  • The server that is "open" for NTP Mode 7 requests can receive a huge number of requests and be forced to generate responses that are up to 5,500 times larger than original requests.
  • The vulnerable NTP servers are used as UDP reflectors in attacks against targeted destinations that may or may not have NTP servers or NTP clients on their networks. Regardless, these targets receive a flood of unsolicited return UDP traffic directed toward them at the destination port of the attacker's choice.
  • The network that is being used as a source (victim) in a spoofed barrage of NTP requests to such servers will find itself under a huge flow of unsolicited NTP responses.

Keep in mind that, although the characteristics of this attack use NTP packets, this series of attacks is in no way different from typical reflected DDoS amplification attacks. Networks are being sent a flood of unsolicited packets that can grow significantly in both size and speed.

MITRE/CERT-CC assigned the Common Vulnerabilities and Exposures ID CVE-2013-5211 to the vulnerability that applies to Mode 7 requests. This CERT/CC advisory is posted at http://www.kb.cert.org/vuls/id/348126

Impact on Cisco Products

Affected Cisco products are listed in the Cisco Security Notice:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5211

Mitigation Summary