[AusNOG] NTP Reflection coming in over Equinix IX

Dobbins, Roland rdobbins at arbor.net
Mon Feb 17 15:14:56 EST 2014


On Feb 14, 2014, at 7:43 AM, James Braunegg <james.braunegg at micron21.com> wrote:

>  I'll email you the pcap file for an off line discussion would be interesting to see if different version of wire shark show different data...

James and I've already corresponded, here's what's apparently going on - the ntp RFCs state that ntp packets should be padded with 0s in order to fit a 64-bit boundary, and different attack tools/mechanisms perform differing amounts of padding.

Here's a breakdown in terms of observed monlist packet sizes:

ntp attack tool used in this most recent spate of attacks - 50 bytes, per James' weblog post.

ntpdos.py - 60 bytes

ntp_monlist.py = 234 bytes

monlist, sysstat, et. al. from ntpdc/ntpq - 234 bytes

So, the monlist packet-size varies based upon the amount of padding implemented by each tool author.

The one constant I've found is that regular ntp time-sync requests are ~90 bytes in size.  So, blocking traffic at the relevant edges destined for UDP/123 with a size of 50 byes, 60 bytes, and 234 bytes appears to be a non-destructive way of dropping level-6/-7 admin commands whilst still allowing time-sync to function.  Be sure and pilot this prior to general deployment, though.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton



More information about the AusNOG mailing list