Tag Archives: NTP

NTP Spoof Attacks

Apparently 2 out of 3 of our GPS clocks were being used in a spoof/DDOS attack.

The basic premise is that time requests are sent to the service with a spoofed IP for the response. Add in 100/1000/10000 clocks send results to a server/service that did not request them results in a denial of service attack.

Both clocks have been removed from the pool, scheduled for February 6th. Hickory.kulish.com has port 123 UDP closed at this time. The maintainer of Dickory.kulish.com has been notified.

At the height of the attack, from our perspective, we pushed 24GB (Byte not Bit) of NTP traffic in 24 hours (not much by all accounts, but enough to help with the damage the asshat was trying to cause).

One clock was misconfigured, noquery had been commented out (likely for initial testing). This has been fixed.

NTP: ntpq output explained

Host1:~# ntpq -p
remote refid st t when poll reach delay offset jitter
==========================================================
-navobs1.oar.net .USNO. 1 u 958 1024 377 89.425 -6.073 0.695
*navobs1.gatech. .GPS. 1 u 183 1024 375 82.102 1.639 0.281
-NAVOBS1.MIT.EDU .PSC. 1 u 895 1024 377 90.912 -0.207 0.368
+navobs1.wustl.e .GPS. 1 u 48 1024 377 76.890 1.093 0.525
-bigben.cac.wash .USNO. 1 u 924 1024 377 113.327 0.028 0.326
+tick.ucla.edu .GPS. 1 u 107 1024 377 102.470 2.032 0.482
-ntp.alaska.edu .GPS. 1 u 881 1024 377 168.741 5.180 5.157
-tock.mhpcc.hpc. .GPS. 1 u 933 1024 377 174.518 -1.094 0.054

Host2# ntpq -p
remote refid st t when poll reach delay offset disp
==========================================================
+128.252.19.1 .GPS. 1 u 495 1024 377 30.90 -6.366 8.26
*139.78.133.139 .USNO. 1 u 936 1024 377 48.43 -2.906 5.20

Columns Defined:
remote: peers speficified in the ntp.conf file
* = current time source
# = source selected, distance exceeds maximum value
o = source selected, Pulse Per Second (PPS) used
+ = source selected, included in final set
x = source false ticker
. = source selected from end of candidate list
– = source discarded by cluster algorithm
blank = source discarded high stratum, failed sanity

refid: remote source’s synchronization source

stratum: stratum level of the source

t: types available
l = local (such as a GPS, WWVB)
u = unicast (most common)
m = multicast
b = broadcast
– = netaddr

when: number of seconds passed since last response

poll: polling interval, in seconds, for source

reach: indicates success/failure to reach source, 377 all attempts successful

delay: indicates the roundtrip time, in milliseconds, to receive a reply

offset: indicates the time difference, in milliseconds, between the client server and source

disp/jitter: indicates the difference, in milliseconds, between two samples

Quick Update:
Here is a more in-depth reference:
https://pthree.org/2013/11/05/real-life-ntp/