Full Report
The intertubes have been humming lately around a certain NTP feature to gather lists of NTP servers’ clients and it naturally grabbed our attention. The humming was started by HD Moore recently where he revealed that it is possible to query NTP servers to get lists of addresses and using the information for fun and profit. He also mentioned that he will be releasing a paper describing all this and how he can create a sizable DDOS using NTP, without giving too much detail about it.
Analysis Summary
# Tool/Technique: NTP monlist Query (Client Listing)
## Overview
This technique involves querying Network Time Protocol (NTP) servers using specific diagnostic commands, primarily `monlist`, to extract a list of recent client IP addresses that have communicated with the server. This information leakage can be used for reconnaissance, footprinting, and potentially as a precursor to Distributed Denial of Service (DDoS) attacks leveraging NTP amplification/reflection.
## Technical Details
- Type: Technique
- Platform: NTP Servers (running `ntpd`)
- Capabilities: Disclosure of system monitoring data, specifically the last approximately 600 client IP addresses.
- First Seen: Disclosure highlighted around March 2010 (by HD Moore and SensePost analysis).
## MITRE ATT&CK Mapping
- TA0043 - Impact
- T1498 - Network Denial of Service
- T1498.004 - Application Layer Denial of Service (related to UDP amplification/reflection leveraging the volume of traffic)
- TA0011 - Command and Control
- T1573 - Encrypted Channel (not directly applicable to the query itself but a general note on C2)
- TA0013 - Data Exfiltration
- T1041 - Exfiltration Over C2 Channel (The data gathered is information leakage usable for reconnaissance)
- TA0012 - Discovery
- T1595 - Active Scanning
- T1595.001 - Scan Passive Network (Leveraging existing server infrastructure for target discovery)
## Functionality
### Core Capabilities
- **Client Enumeration:** Using the `monlist` command via `ntpdc` or custom tools to retrieve up to approximately 600 recent client IP addresses from the NTP server's internal monitoring cache.
- **Information Leakage:** Revealing internal network addresses (private IPs) of clients accessing the NTP server, acting as an inadvertent host discovery mechanism.
### Advanced Features
- **DDoS Vector:** The technique is noted as a potential basis for creating large-scale DDoS attacks. HD Moore suggested a technique to generate 30 Gbps DDoS traffic, likely involving spoofing the source address of the `monlist` request and using the retrieved client list to reflect traffic or as targets.
- **Footprinting:** Identifying devices, products (e.g., Ubuntu systems), and networks connected to specific time servers.
- **Multi-homing Leakage:** Potentially uncovering secondary IP addresses (including IPv6 or interfaces on different networks) for the targeted NTP server if it is multi-homed.
## Indicators of Compromise
- File Hashes: N/A (The technique exploits a server feature, not malware execution.)
- File Names: `ntp_monlist.py` (Custom script mentioned in the article)
- Registry Keys: N/A
- Network Indicators:
- **Protocol:** UDP Port 123 (NTP)
- **Command Sequence:** Sending a specially crafted NTP packet or using `ntpdc` to issue the `monlist` command.
- Behavioral Indicators: High volume UDP traffic on port 123 returning large data payloads (approx. 45 KB per request for 600 records).
## Associated Threat Actors
- HD Moore (Credited with initial public revelation and associated Metasploit module development).
- SensePost Researchers (Analyzed and publicized the impact, including information disclosure of internal IPs).
- Unspecified actors capable of large-scale DDoS attacks exploiting reflection/amplification vectors.
## Detection Methods
- Signature-based detection: Signatures targeting the specific NTP packet structure used for the `monlist` command (if distinguishable from standard NTP queries).
- Behavioral detection: Monitoring NTP servers for unusually large UDP response packets originating from requests that appear to query monitoring or diagnostic functions rather than standard time synchronization.
- YARA rules: Not applicable for network technique detection.
## Mitigation Strategies
- Prevention measures: Disabling diagnostic commands like `monlist` on public-facing NTP servers.
- Hardening recommendations:
1. Restrict access to NTP services using firewall rules, allowing queries only from trusted sources or specific internal subnets.
2. Configure NTP software (e.g., `ntpd`) to use access control lists (ACLs) to inhibit access to private configuration commands (`monlist`, `restrict` options).
3. Implement rate limiting on UDP port 123 traffic to prevent abuse and massive response dumps.
## Related Tools/Techniques
- `ntpdc`: The standard client utility used to interact with NTP daemon features, including `monlist`.
- Metasploit Auxiliary Module: `auxiliary/scanner/ntp/ntp_monlist.rb` (mentioned as being released by HD Moore).
- Maltego: Used by SensePost for visualizing the relationship graphs between discovered NTP servers and their clients.
- NTP Amplification/Reflection DDoS: The technique's malicious potential lies in using the feature as a reconnaissance phase for launching large UDP reflection attacks.