This information has been produced in reference to the recent Network Time Protocol (NTP) amplification distributed denial of service (DDoS) attacks that have been observed on the Internet. Based on certain examples of customer packet captures Cisco has observed, current inbound amplification flows are showing the following characteristics:
Keep in mind that the preceding characteristics were seen on a limited number of customer networks. It is expected that variations on the UDP source port, UDP destination port, and total packet size will be seen.
The following Cisco content is associated with this Event Response Page:
Cisco Security Notice: Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5211
Cisco IntelliShield Alert: Network Time Foundation ntpd Service Network Traffic Amplification Issue
https://sec.cloudapps.cisco.com/security/center/viewAlert.x?alertId=32384
Cisco Security Blog Posts
http://blogs.cisco.com/security/when-network-clocks-attack/
http://blogs.cisco.com/perspectives/enterprise-security-include-ddos-mitigation-in-your-2014-plans/
http://blogs.cisco.com/security/a-smorgasbord-of-denial-of-service/
The vulnerability comes from a shortcoming in RFC 5905 that allows processing of optional Mode 6 and 7 command requests by NTP servers.
In summary, the attack is based on processing NTP Mode 7 requests from NTP clients that may elicit huge responses. While the requests are small (for example, in case of Mode 7, the request is only 8 bytes long), the response can grow up to 5,500 times that size due to amplification.
The attack is based on a very simple premise:
NTP servers that respond to MONLIST Mode 7 command requests will generate responses that are 5,500 times bigger in size than the requests. Paired with the ability to spoof network addresses globally, this attack allows the attacker to send a huge number of those requests toward a number of known public NTP servers and solicit a huge response toward the spoofed address of the (source) victim.
There are three key points regarding this vulnerability:
Keep in mind that, although the characteristics of this attack use NTP packets, this series of attacks is in no way different from typical reflected DDoS amplification attacks. Networks are being sent a flood of unsolicited packets that can grow significantly in both size and speed.
MITRE/CERT-CC assigned the Common Vulnerabilities and Exposures ID CVE-2013-5211 to the vulnerability that applies to Mode 7 requests. This CERT/CC advisory is posted at http://www.kb.cert.org/vuls/id/348126
Affected Cisco products are listed in the Cisco Security Notice:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5211
Cisco DDoS White Paper: //www.cisco.com/web/about/security/intelligence/guide_ddos_defense.html
CERT Vulnerability Note VU#348126: http://www.kb.cert.org/vuls/id/348126
DHS US-CERT Alert (TA14-013A): https://www.us-cert.gov/ncas/alerts/TA14-013A
NTP.org Security Notice:http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.