[44123] in SIPB IPv6
Re: [help.mit.edu #2973238] Exploitable NTP server used for an
daemon@ATHENA.MIT.EDU (Alex Chernyakhovsky)
Tue Sep 16 11:01:30 2014
In-Reply-To: <43BB1AEC-0432-476E-A470-2515E8488084@mit.edu>
Date: Tue, 16 Sep 2014 11:01:27 -0400
From: Alex Chernyakhovsky <achernya@mit.edu>
To: Andrew Munchbach <amunch@mit.edu>
Cc: "sipb-machine-room@mit.edu" <sipb-machine-room@mit.edu>, sipbv6@mit.edu
Hi Andrew,
This appears to be a machine part of the SIPBv6 service, forwarding
this to them. The contact should be sipbv6@mit.edu, not
sipb-machine-room.
Sincerely,
-Alex
On Tue, Sep 16, 2014 at 10:30 AM, Andrew Munchbach <amunch@mit.edu> wrote:
> SIPB,
>
> Could you check your servers and make sure they do not respond to NTP, SN=
MP, DNS, and/or CHARGEN requests that originate from outside our network?
>
> Regards,
> Andrew
> --
> Andrew Munchbach
> Network Security Analyst
> Massachusetts Institute of Technology
> IS&T | Operations & Infrastructure | Security Operations
> amunch@mit.edu
> +1 (617) 324-4571
>
> http://ist.mit.edu/secure
>
> Begin forwarded message:
>
>> From: NFOservers.com DDoS notifier via RT <security@mit.edu>
>> Subject: [help.mit.edu #2973238] Exploitable NTP server used for an atta=
ck: 18.187.1.231
>> Date: September 13, 2014 at 1:29:11 PM EDT
>> To: undisclosed-recipients:;
>> Reply-To: <security@mit.edu>
>>
>>
>> Sat Sep 13 13:29:11 2014: Request 2973238 was acted upon.
>> Transaction: Ticket created by ddos-response@nfoservers.com
>> Queue: Security
>> Subject: Exploitable NTP server used for an attack: 18.187.1.231
>> Owner: Nobody
>> Requestors: ddos-response@nfoservers.com
>> Status: new
>> Ticket <URL: https://help.mit.edu/Ticket/Display.html?id=3D2973238 >
>>
>>
>> A public NTP server on your network, running on IP address 18.187.1.231 =
and UDP port 123, participated in a very large-scale attack against a custo=
mer of ours, generating UDP responses to spoofed "monlist" requests that cl=
aimed to be from the attack target.
>>
>> Please consider reconfiguring this NTP server in one or more of these wa=
ys:
>>
>> 1. If you run ntpd, upgrading to the latest version, which removes the "=
monlist" command that is used for these attacks; alternately, disabling the=
monitoring function by adding "disable monitor" to your /etc/ntp.conf file=
.
>> 2. Setting the NTP installation to act as a client only. With ntpd, that=
can be done with "restrict default ignore" in /etc/ntp.conf; other daemons=
should have a similar configuration option. More information on configurin=
g different devices can be found here: https://www.team-cymru.org/ReadingRo=
om/Templates/secure-ntp-template.html.
>> 3. Adjusting your firewall or NTP server configuration so that it only s=
erves your users and does not respond to outside IP addresses.
>>
>> If you don't mean to run a public NTP server, we recommend #1 and #2. If=
you do mean to run a public NTP server, we recommend #1, and also that you=
rate-limit responses to individual source IP addresses -- silently discard=
ing those that exceed a low number, such as one request per IP address per =
second. Rate-limit functionality is built into many recently-released NTP d=
aemons, including ntpd, but needs to be enabled; it would help with differe=
nt types of attacks than this one.
>>
>> Fixing open NTP servers is important; with the 1000x+ amplification fact=
or of NTP DRDoS attacks -- one 40-byte-long request can generate up to 4680=
0 bytes worth of response traffic -- it only takes one machine on an unfilt=
ered 100 Mbps link to create a 100+ Gbps attack!
>>
>> If you are an ISP, please also look at your network configuration and ma=
ke sure that you do not allow spoofed traffic (that pretends to be from ext=
ernal IP addresses) to leave the network. Hosts that allow spoofed traffic =
make possible this type of attack.
>>
>> Further reading:
>>
>> https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
>> https://isc.sans.org/forums/diary/NTP+reflection+attack/17300
>> http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-laun=
ching-large-scale-ntp-reflection-attacks
>> http://kb.juniper.net/InfoCenter/index?page=3Dcontent&id=3DJSA10613&smlo=
gin=3Dtrue
>>
>> You can find more vulnerable servers on a network through this site: htt=
p://openntpproject.org/
>>
>> Example NTP responses from the host during this attack are given below.
>> Timestamps (far left) are PDT (UTC-7), and the date is 2014-09-13.
>>
>> 10:27:14.852527 IP 18.187.1.231.123 > 70.42.74.x.29070: NTPv2, Reserved,=
length 440
>> 0x0000: 4500 01d4 2663 0000 3311 ba0b 12bb 01e7 E...&c..3.......
>> 0x0010: 462a 4adf 007b 718e 01c0 e0d5 d700 032a F*J..{q........*
>> 0x0020: 0006 0048 0000 0000 0000 0000 0000 0000 ...H............
>> 0x0030: 0000 02d7 462a 4adf 12bb 01e7 0000 0001 ....F*J.........
>> 0x0040: 718e 0702 0000 0000 0000 0000 0000 0000 q...............
>> 0x0050: 0000 ..
>> 10:27:14.852570 IP 18.187.1.231.123 > 70.42.74.x.29070: NTPv2, Reserved,=
length 440
>> 0x0000: 4500 01d4 2664 0000 3311 ba0a 12bb 01e7 E...&d..3.......
>> 0x0010: 462a 4adf 007b 718e 01c0 c86d d701 032a F*J..{q....m...*
>> 0x0020: 0006 0048 0000 001c 0000 0051 0000 0000 ...H.......Q....
>> 0x0030: 0000 0fcc d59d 5c48 12bb 01e7 0000 0001 ......\H........
>> 0x0040: 31ac 0702 0100 0000 0000 0000 0000 0000 1...............
>> 0x0050: 0000 ..
>> 10:27:14.852571 IP 18.187.1.231.123 > 70.42.74.x.29070: NTPv2, Reserved,=
length 440
>> 0x0000: 4500 01d4 2665 0000 3311 ba09 12bb 01e7 E...&e..3.......
>> 0x0010: 462a 4adf 007b 718e 01c0 7fb3 d702 032a F*J..{q........*
>> 0x0020: 0006 0048 0000 0001 0000 14ae 0000 0000 ...H............
>> 0x0030: 0000 00ef 2e69 c7e3 12bb 01e7 0000 0001 .....i..........
>> 0x0040: 1775 0702 0000 0000 0000 0000 0000 0000 .u..............
>> 0x0050: 0000 ..
>> 10:27:14.852638 IP 18.187.1.231.123 > 70.42.74.x.29070: NTPv2, Reserved,=
length 440
>> 0x0000: 4500 01d4 2666 0000 3311 ba08 12bb 01e7 E...&f..3.......
>> 0x0010: 462a 4adf 007b 718e 01c0 ef2f d703 032a F*J..{q..../...*
>> 0x0020: 0006 0048 0000 0000 0000 269a 0000 0000 ...H......&.....
>> 0x0030: 0000 000d 6d40 0b33 12bb 01e7 0000 0001 ....m@.3........
>> 0x0040: 6986 0702 0000 0000 0000 0000 0000 0000 i...............
>> 0x0050: 0000 ..
>> 10:27:14.852645 IP 18.187.1.231.123 > 70.42.74.x.29070: NTPv2, Reserved,=
length 440
>> 0x0000: 4500 01d4 2667 0000 3311 ba07 12bb 01e7 E...&g..3.......
>> 0x0010: 462a 4adf 007b 718e 01c0 dd8f d704 032a F*J..{q........*
>> 0x0020: 0006 0048 0000 0000 0000 27fc 0000 0000 ...H......'.....
>> 0x0030: 0000 0980 b27b fa5f 12bb 01e7 0000 0001 .....{._........
>> 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P..............
>> 0x0050: 0000 ..
>> 10:27:14.852679 IP 18.187.1.231.123 > 70.42.74.x.29070: NTPv2, Reserved,=
length 440
>> 0x0000: 4500 01d4 2668 0000 3311 ba06 12bb 01e7 E...&h..3.......
>> 0x0010: 462a 4adf 007b 718e 01c0 52e3 d705 032a F*J..{q...R....*
>> 0x0020: 0006 0048 0000 0000 0000 2bfd 0000 0000 ...H......+.....
>> 0x0030: 0000 0473 545e d566 12bb 01e7 0000 0001 ...sT^.f........
>> 0x0040: 0050 0702 0000 0000 0000 0000 0000 0000 .P..............
>> 0x0050: 0000 ..
>>
>>
>> (The final octet of our customer's IP address is masked in the above out=
put because some automatic parsers become confused when multiple IP address=
es are included. The value of that octet is "223".)
>>
>> -John
>> President
>> Nuclearfallout, Enterprises, Inc. (NFOservers.com)
>>
>> (We're sending out so many of these notices, and seeing so many auto-res=
ponses, that we can't go through this email inbox effectively. If you have =
follow-up questions, please contact us at noc@nfoe.net.)
>>
>>
>
