Category Archives: Networking

Issue with NTP servers — The new DDoS target !!

Just like the DDoS is hitting web-servers and DNS servers, it has started hitting
the ntpd servers which are left open.

This is a very recent attack. The Network Time Protocol, or NTP, syncs time
between machines on the network, and runs over port 123 UDP. It’s typically
configured once by network administrators and often is not updated.

Recently there is a major jump in attacks via the protocol. Attackers appear to be
employing NTP for DDoSing similar to the way DNS is being abused in such attacks.
They transmit small spoofed packets requesting a large amount of data sent to the
DDoS target’s IP address. It’s all about abusing the so-called “monlist” command
in an older version of NTP. Monlist returns a list of the last 600 hosts that have
connected to the server.

To check if your ntp service is open/vulernable :

# ntpdc -c monlist IP ( See if it returns the list of hosts,
if it does, it is vulnerable )

To get around this,

# The easiest way to update to NTP version 4.2.7, which removes the monlist
command entirely.

# If upgrading is not an option, you can start the NTP daemon with noquery enabled
in the NTP conf file. This will disable access to mode 6 and 7 query
packets (which includes monlist).

Add the below lines to /etc/ntp.conf :

========

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

========

If monolist query is disabled,

# ntpdc -n -c monlist IP should return,

xx.xx.xx.xx: timed out, nothing received
***Request timed out

The basic issue is that all the ntp servers are left open, meaning any servers
can query them. For eg we have the following part in the config
file of a ntpd server :

============

# — CLIENT NETWORK ——-

============

– under this portion, either nothing would be given ( which means all can access/query )
or the following,

restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

which means all can still access/query, in particular that range specified cannot do the
above 3 actions.

still this makes them an open ntpd service, which responds to the queries.

If the following was given,

restrict 192.168.1.0 mask 255.255.255.0 notrust noquery nomodify notrap

it implies all systems under the above n/w segment can access, but cannot
query, –similar to the 2 liner which is given irrespective of all n/w segments.

Before you become a part in the chain, take the preventive measures.

IPv6 configuration for KVM guests

It is simple and straight forward to enable IPv6 on KVM guests

Configure the host machine with IPv6 Address on the bridge interface

cat ifcfg-br0

IPV6INIT=yes
IPV6ADDR=xxxx.xx::10
IPV6_DEFAULTGW=xxxx.xx::1
IPV6_AUTOCONF=no

Configure the interface on virutal machines with ipv6 address

cat ifcfg-eth0

IPV6INIT=yes
IPV6ADDR=xxxx.xx::11
IPV6_DEFAULTGW=xxxx.xx::1
IPV6_AUTOCONF=no

Add the the necessary firewall rules to ip6tables on the host machine

-A FORWARD -m physdev –physdev-is-bridged -j ACCEPT.

./arun