Threat Summary: February 25, 2014
This information has been produced in reference to the recent Network Time Protocol (NTP) amplification distributed denial of service (DDoS) attacks that have been observed on the Internet. Based on certain examples of customer packet captures Cisco has observed, current inbound amplification flows are showing the following characteristics:
- UDP source port 123
- UDP destination port 80
- Packet size of 482 bytes
Keep in mind that the preceding characteristics were seen on a limited number of customer networks. It is expected that variations on the UDP source port, UDP destination port, and total packet size will be seen.
Event Intelligence
The following Cisco content is associated with this Event Response Page:
Cisco Security Notice: Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5211
Cisco IntelliShield Alert: Network Time Foundation ntpd Service Network Traffic Amplification Issue
https://sec.cloudapps.cisco.com/security/center/viewAlert.x?alertId=32384
Cisco Security Blog Posts
http://blogs.cisco.com/security/when-network-clocks-attack/
http://blogs.cisco.com/perspectives/enterprise-security-include-ddos-mitigation-in-your-2014-plans/
http://blogs.cisco.com/security/a-smorgasbord-of-denial-of-service/
Vulnerability Characteristics
The vulnerability comes from a shortcoming in RFC 5905 that allows processing of optional Mode 6 and 7 command requests by NTP servers.
In summary, the attack is based on processing NTP Mode 7 requests from NTP clients that may elicit huge responses. While the requests are small (for example, in case of Mode 7, the request is only 8 bytes long), the response can grow up to 5,500 times that size due to amplification.
Cisco Security Intelligence Operations Analysis
The attack is based on a very simple premise:
NTP servers that respond to MONLIST Mode 7 command requests will generate responses that are 5,500 times bigger in size than the requests. Paired with the ability to spoof network addresses globally, this attack allows the attacker to send a huge number of those requests toward a number of known public NTP servers and solicit a huge response toward the spoofed address of the (source) victim.
There are three key points regarding this vulnerability:
- The server that is "open" for NTP Mode 7 requests can receive a huge number of requests and be forced to generate responses that are up to 5,500 times larger than original requests.
- The vulnerable NTP servers are used as UDP reflectors in attacks against targeted destinations that may or may not have NTP servers or NTP clients on their networks. Regardless, these targets receive a flood of unsolicited return UDP traffic directed toward them at the destination port of the attacker's choice.
- The network that is being used as a source (victim) in a spoofed barrage of NTP requests to such servers will find itself under a huge flow of unsolicited NTP responses.
Keep in mind that, although the characteristics of this attack use NTP packets, this series of attacks is in no way different from typical reflected DDoS amplification attacks. Networks are being sent a flood of unsolicited packets that can grow significantly in both size and speed.
MITRE/CERT-CC assigned the Common Vulnerabilities and Exposures ID CVE-2013-5211 to the vulnerability that applies to Mode 7 requests. This CERT/CC advisory is posted at http://www.kb.cert.org/vuls/id/348126
Impact on Cisco Products
Affected Cisco products are listed in the Cisco Security Notice:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5211
Mitigation Summary
- Unicast RPF to help drop at ingress any spoofed IP traffic
- Understanding Unicast Reverse Path Forwarding
- Unicast Reverse Path Forwarding in Strict Mode on the Cisco 12000 Series Internet Router
- Infrastructure and transit ACLs that restrict/drop NTP packets at the Internet edge
- Protecting Your Core: Infrastructure Protection Access Control Lists
- Transit Access Control Lists: Filtering at Your Edge
- Control Plane Protection (CoPP) to protect the CPUs of infrastructure devices against NTP packets directed to the device
- Remotely triggered black hole (RTBH) dropping of traffic based on IP source (using Unicast RPF) and/or IP destination (trigger routing updates to null0)
- Packet scrubbing using Arbor, Prolexic, etc. as far upstream as possible (covered in the DDoS white paper listed in References)
- Rate limiting NTP flows as close to the Internet Edge as possible
- Working with peering ISP(s) to throttle some of the traffic before it gets to the organization's Internet edge
- Filtering out packets based on packet size (that is, greater than 90 bytes for IPv4 and 110 bytes for IPv6) to/from UDP port 123. Allowing packets less than these sizes should still allow time-sync requests and responses to work, but the filtering should prevent the packet sizes used to trigger these amplification attacks (Source: NANOG Mailing List). Note: This filtering should be used solely to mitigate these attacks and should not be implemented permanently.
References
Cisco DDoS White Paper: //www.cisco.com/web/about/security/intelligence/guide_ddos_defense.html
CERT Vulnerability Note VU#348126: http://www.kb.cert.org/vuls/id/348126
DHS US-CERT Alert (TA14-013A): https://www.us-cert.gov/ncas/alerts/TA14-013A
NTP.org Security Notice:http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.