The somewhat illegal fix for NTP attacks
Hi The following would probably be illegal so do not actually do this. But what if... there are just 4 billion IPv4 addresses. Scanning that address-space for open NTP is trivially done in a few hours. Abusing these servers for reflection attack is as trivial, hence the problem. How can we get the responsible parties to fix their NTP servers? Answer: DDoS them. With their own service. Or it could be a DDoS defense. As a victim of an ongoing NTP reflection attack, you know exactly the IP-addresses of the vulnerable NTP servers used to attack you. Make them stop by sending back forged NTP packets, so they use up their available bandwidth to DDoS each other instead of you. This could even be automated. If you let them attack their next-hop as discovered by traceroute, it might not even be illegal or harmful. They will only bring down their own link, do no more harm to the internet at large and they can fix it by stopping the NTP service. If they are part of an ongoing DDoS attack it is just self defence to shut them down in the least harmful way possible. Regards, Baldur
On 21 February 2014 14:08, Baldur Norddahl <baldur.norddahl@gmail.com>wrote:
Hi
The following would probably be illegal so do not actually do this. But what if... there are just 4 billion IPv4 addresses. Scanning that address-space for open NTP is trivially done in a few hours. Abusing these servers for reflection attack is as trivial, hence the problem. How can we get the responsible parties to fix their NTP servers?
Answer: DDoS them. With their own service.
/me gets some popcorn and waits for the show. -- Landon Stewart <LandonStewart@Gmail.com>
It's never appropriate to respond to abuse with abuse. Not only is it questionable/unprofessional behavior, but -- as we've seen -- there is a high risk that it'll exacerbate the problem, often by targeting innocent third parties. I understand the frustration but this is not the way. ---rsk
On Sat, Feb 22, 2014 at 6:41 AM, Rich Kulawiec <rsk@gsp.org> wrote: Perhaps you would rather publish a blacklist of "/24s containing NTP servers open to MONLIST" over UDP port 123 similar to the bogon feeds. And encourage all networks to blackhole the list. That way potential NTP reflection abuse traffic gets stuffed as close to the source as possible.
It's never appropriate to respond to abuse with abuse. Not only is it questionable/unprofessional behavior, but -- as we've seen -- there is a high risk that it'll exacerbate the problem, often by targeting innocent third parties.
I understand the frustration but this is not the way.
---rsk
-- -JH
Well. Since when SNMP, NTP or DNS are vulnerable? They both follow to the appropriate RFC's, contrary to all those AS + /24 that keep allowing spoofing source IP address. The victims of attacks could get the Tiers to follow back the source of the attack instead, but the corporations involved have more money than the small guy you'll bash for having the balls of running a resolver for his roaming customers. This false debate will never end... ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 02/22/14 16:09, Jimmy Hess wrote:
On Sat, Feb 22, 2014 at 6:41 AM, Rich Kulawiec <rsk@gsp.org> wrote:
Perhaps you would rather publish a blacklist of "/24s containing NTP servers open to MONLIST" over UDP port 123 similar to the bogon feeds.
And encourage all networks to blackhole the list.
That way potential NTP reflection abuse traffic gets stuffed as close to the source as possible.
It's never appropriate to respond to abuse with abuse. Not only is it questionable/unprofessional behavior, but -- as we've seen -- there is a high risk that it'll exacerbate the problem, often by targeting innocent third parties.
I understand the frustration but this is not the way.
---rsk -- -JH
On Feb 21, 2014, at 5:08 PM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
Hi
The following would probably be illegal so do not actually do this. But what if... there are just 4 billion IPv4 addresses. Scanning that address-space for open NTP is trivially done in a few hours. Abusing these servers for reflection attack is as trivial, hence the problem. How can we get the responsible parties to fix their NTP servers?
Answer: DDoS them. With their own service.
One of the attacks that was mitigated the fastest was the SQL Slammer worm due to the broad impact it had across the internet. The OpenNTP and OpenResolver projects provide inventories of these servers for operators to take action and to take to their customer cone.
Or it could be a DDoS defense. As a victim of an ongoing NTP reflection attack, you know exactly the IP-addresses of the vulnerable NTP servers used to attack you. Make them stop by sending back forged NTP packets, so they use up their available bandwidth to DDoS each other instead of you.
This could even be automated. If you let them attack their next-hop as discovered by traceroute, it might not even be illegal or harmful. They will only bring down their own link, do no more harm to the internet at large and they can fix it by stopping the NTP service. If they are part of an ongoing DDoS attack it is just self defence to shut them down in the least harmful way possible.
Do you have a letter from the local law enforcement or legal counsel on this topic? If so, can you please share it with the class or submit a presentation to an upcoming conference on this? - Jared
participants (6)
-
Alain Hebert
-
Baldur Norddahl
-
Jared Mauch
-
Jimmy Hess
-
Landon
-
Rich Kulawiec