Moats are good for stopping knights in armor, but hackers are more like rats.
Organizations tend to harden, secure, and update servers—and then forget about infrastructure device vulnerabilities. This is called the “castle and moat” approach to IT security: build a strong perimeter around intellectual property, customer information, and other sensitive assets, and let it go at that—leaving your base infrastructure open to sneaky direct attacks.
The problem with this is that things have to go in and out of the castle, so no matter how deep the moat, there have to be ways to get across it. I’ve talked a lot in my previous blogs about how DNS is one of those, and how it can be used to launch direct attacks on assets inside the moat—especially distributed-denial-of-service (DDoS) attacks.
Now we’re seeing similar attacks that exploit another overlooked weak point: the Network Time Protocol (NTP).
NTP is implemented in all major operating systems, network infrastructure devices, and embedded devices. Because it uses the User Datagram Protocol (UDP), NTP is susceptible to spoofing. In addition, misconfiguration of network equipment can allow enterprise infrastructures to be used as unwilling participants in a DDoS attack. This can be achieved by responding to requests for NTP updates and directing the response to a victim host and overwhelming it with NTP traffic.
According to Kelly Jackson Higgins in her recent Dark Reading article “Attackers Wage Network Time Protocol-Based Attacks,” NTP is as vulnerable as DNS to reflection-style DDoS attacks.
Here’s how it works. The hacker’s servers transmit small spoofed packets that ask for large amounts of data to be sent the IP address of their target victim. The “monlist” command in an older version of NTP returns a list of the last 600 hosts that connected to the server. Hackers can use this as a reconnaissance tactic to build a network profile of the target. But it makes an even better DDoS tool, because a small query can redirect megabytes of traffic. Higgins points out that NTP reflection attacks spiked in December of 2013, impacting nearly 15,000 IP addresses.
The most obvious fix to this problem is to make sure that you have a version number of NTP higher than the recommended minimum. However, it may not be practical to upgrade all your appliances over night. Fortunately, there’s another way to keep attackers from using NTP to get across the moat around your castle with Advanced DNS Protection.
Using a threat-mitigation rule that comes into play when NTP is enabled, Infoblox Advanced DNS Protection provides a layer of security by ensuring that the DNS infrastructure is NOT used to amplify and participate in NTP attacks (it is enabled that is). This rule monitors NTP responses and can drop them if the packet rate seems abnormal, which is a symptom of an attack. If any source IP address sends more packets than a pre-defined value, the appliance blocks all such traffic from this source for a certain period of time (specified in Drop interval; default =15).
Below is a graph from the new Prolexic report on DDoS in Q4 of 2013. DNS-based attacks increased to almost 10 percent. Because DNS and CHARGEN attacks are methods underpinning PHP booter frameworks, escalations in these two attack vectors (DNS 9.58 percent and CHARGEN 6.39 percent) were also observed this quarter. At .026 percent, NTP is still a small slice of the bar graph—but big enough for a rat to slip through.
