NTP amplification DDoS attack

大规模 DDoS 攻击,利用 NTP 协议中的漏洞,目标是向服务器发送 UDP 流量。

学习目标

阅读本文后,您将能够:

  • 定义 NTP 放大 DDoS 攻击
  • 说明 NTP 放大攻击的工作原理
  • 了解此类 DDoS 放大攻击的几种缓解策略

复制文章链接

什么是 NTP 放大攻击?

NTP 放大攻击是一种基于反射的容量耗尽分布式拒绝服务(DDoS)攻击。在这种攻击中,攻击者利用一种网络时间协议 (NTP) 服务器功能,发送放大的 UDP 流量,使目标网络或服务器不堪重负,导致正常流量无法到达目标及其周围基础设施。

NTP 放大攻击的工作原理

所有放大攻击都利用攻击者和目标 Web 资源之间的带宽消耗差异。当消耗差异经过多次请求而被放大时,所产生的流量可导致网络基础设施中断。通过发送小型请求来导致大规模响应,恶意用户就能达到四两拨千斤的效果。当通过某个僵尸网络中的每个机器人发出类似请求来使这种放大效果倍增时,攻击者既能躲避检测,又能收获攻击流量大增的好处。

DNS flood attacks differ from DNS amplification attacks. Unlike DNS floods, DNS amplification attacks reflect and amplify traffic off unsecured DNS servers in order to hide the origin of the attack and increase its effectiveness. DNS amplification attacks use devices with smaller bandwidth connections to make numerous requests to unsecured DNS servers. The devices make many small requests for very large DNS records, but when making the requests, the attacker forges the return address to be that of the intended victim. The amplification allows the attacker to take out larger targets with only limited attack resources.

NTP 放大攻击与 DNS 放大攻击非常相似,就好比是一个心怀恶意的青少年打电话给一家餐厅说“我要菜单上的东西每样来一份,请给我回电话并告诉我整个订单的信息”。当餐厅询问回叫号码时,他却给出目标受害者的电话号码。然后,目标会收到来自餐厅的呼叫,接到他们未请求的大量信息。

The Network Time Protocol is designed to allow internet connected devices to synchronize their internal clocks, and serves an important function in internet architecture. By exploiting the monlist command enabled on some NTP servers, an attacker is able to multiply their initial request traffic, resulting in a large response. This command is enabled by default on older devices, and responds with the last 600 source IP addresses of requests which have been made to the NTP server. The monlist request from a server with 600 addresses in its memory will be 206 times larger than the initial request. This means that an attacker with 1 GB of internet traffic can deliver a 200+ gigabyte attack - a massive increase in the resulting attack traffic.

NTP 放大攻击可分为四个步骤:

  1. 攻击者使用僵尸网络将带有伪造 IP 地址的 UDP 包发送到启用了 monlist 命令的 NTP 服务器。每个包的伪造 IP 地址都指向受害者的真实 IP 地址。
  2. 每个 UDP 数据包使用其 monlist 命令向 NTP 服务器发出请求,导致较大的响应。
  3. 然后,服务器用结果数据响应欺骗性的地址。
  4. 目标的 IP 地址接收响应,其周边的网络基础设施被大量流量淹没,从而导致拒绝服务
NTP 放大 DDoS 攻击

由于攻击流量看似来自有效服务器的正常流量,因此很难在不阻止实际 NTP 服务器进行正常活动的情况下防护这种攻击流量。由于 UDP 数据包不需要握手,因此 NTP 服务器将向目标服务器发送较大的响应,而无需验证请求是否真实。这些条件,加上在默认情况下会发送较大响应的内置命令,使 NTP 服务器成为 DDoS 放大攻击的高效反射来源。

如何防护 NTP 放大攻击?

For an individual or company running a website or service, mitigation options are limited. This comes from the fact that the individual’s server, while it might be the target, is not where the main effect of a volumetric attack is felt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The Internet Service Provider (ISP) or other upstream infrastructure providers may not be able to handle the incoming traffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP address, protecting itself and taking the target’s site off-line. Mitigation strategies, aside from offsite protective services like Cloudflare DDoS protection, are mostly preventative internet infrastructure solutions.

禁用 monlist - 减少支持 monlist 命令的 NTP 服务器的数量。

修补 monlist 漏洞的一个简单解决方案是禁用该命令。默认情况下,4.2.7 版本之前的所有 NTP 软件都容易受到攻击。将 NTP 服务器升级到 4.2.7 或更高版本,该命令即被禁用,即可修补漏洞。如果无法升级,则服务器的管理员可遵循 US-CERT 的说明进行必要的更改。

源 IP 验证- - 阻止欺骗性数据包离开网络。

Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress filtering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks (in violation of BCP38) and help them realize their vulnerability.

禁用 NTP 服务器上的 monlist 并在当前允许 IP 欺骗的网络上实施入口过滤,这是阻止此类攻击到达其目标网络的有效方法。

Cloudflare 如何防护 NTP 放大攻击?

With a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless you are the size of Cloudflare), it's trivial to block reflection attacks such as NTP amplification attacks. Although the attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is no longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across many Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the targeted server’s infrastructure. During a recent six-month window, our DDoS mitigation system "Gatebot" detected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all of them. Learn more about Cloudflare's advanced DDoS Protection.