[ITNOG] FW: Update - detection/classification/traceback/mitigation of ntp reflection/amplification attacks.

Lun 24 Feb 2014 09:39:21 CET

Buongiorno, sperando di fare cosa utile, inoltro alcune considerazioni e
indicazioni di "mitigation" sui recenti attacchi NTP.

saluti

>
>-----Original Message-----
>
>From: <Dobbins>, Roland
>Date: Saturday, February 22, 2014 6:34 AM
>
>>
>>The ASERT team have been working with customers over the last
>>week-and-a-half to help them deal with the ongoing spate of ntp
>>reflection/amplification attacks.  [...]
>>
>>Standard ntp timesync requests and responses are 90 bytes in size on
>>Ethernet networks - 76 bytes plus 14 bytes of framing, which Peakflow SP,
>>TMS and APS disregard.  Attack traffic intended to abuse ntpds is either
>>smaller or larger than this, and the reflected/amplified attack traffic
>>emanating from abused ntpds is larger than this.
>>
>>So, blocking packets from UDP/anything - UDP/123 which are *not* 76 bytes
>>in length squelches attack-source - reflector/amplifier traffic, and
>>blocking packets from UDP/123 - UDP/anything which are *not* 76 bytes in
>>length drops the amplified attack traffic on the reflector/amplifier -
>>target leg of these attacks, while allowing normal timesync
>>requests/replies through.  These criteria can also be utilized for
>>detection/classification/traceback.
>>
>>[...]
>
>> flow classifier allows detection/classification/traceback of possible
>>ntp reflection/amplification attack traffic:
>>
>>proto udp and (src port 123 or dst port 123) and not bpp 76
>>
>>[...]
>
>>It may be preferable for customers to alert primarily on
>>reflector/amplifier - target traffic.
>>
>>Match criteria for reflector-amplifier - target traffic MO *only*:
>>
>>proto udp and src port 123 and not (bpp 36 or bpp 46 or bpp 76 or bpp
>>220)
>>
>>[...]
>
>>For TMS and APS, a Black-/White-List / Filter List like this is effective
>>for mitigation on both attack legs:
>>
>>drop proto udp and (src port 123 or dst port 123) and not bpp 76
>>
>>On TMS 4000, using this classifier for Flexible Zombie Removal and
>>metered rates of 8bps/8pps allows hardware-assisted blocking:
>>
>>proto udp and (src port 123 or dst port 123) and not bpp 76
>>
>>On routers and layer-3 switches which have the capability to match
>>packet-sizes in ACLs or QoS mechanisms in hardware, these same
>>classification criteria can be used to drop non-timesync ntp traffic.
>>The classifier syntax will vary based on
>>vendor/make/model/OS/train/revision/hardware capabilities, and it's
>>important to understand whether or not framing bytes are used in order to
>>set the appropriate size matching on specific devices.  S/RTBH of
>>identified attack traffic sources is also useful.
>>
>>It should be noted that this filtering of ntp traffic based upon packet
>>sizes will break ntptrace and other ntp-related administrative functions
>>(but *not* timesync requests/replies; also, such level-6 and -7 ntp
>>commands should be restricted to trusted management systems only, and
>>they aren't generally utilized by ordinary users).  Therefore, the scope
>>of such filtering should be as granular as possible - i.e., using TMS
>>with diversion/re-injection for specific destinations, for protection
>>groups being abused or under attack with APS, applying ACLs to the
>>coreward interfaces of mitigation center gateways and using
>>diversion/re-injection to limit the filtering scope, making policy
>>exceptions for trusted management systems, etc.
>>
>>[...]
>
>
>
--
Marco Gioanola
Consulting Engineer, EMEA
Arbor Networks
mgioanola@arbor.net
+39 339 7584747 (m)

--> Arbor is at Mobile World Congress, 24-27 February <--

Please be advised that this email may contain confidential information. If
you are not the intended recipient, please notify us by email by replying
to the sender and delete this message. The sender disclaims that the
content of this email constitutes an offer to enter into, or the
acceptance of, any agreement; provided that the foregoing does not
invalidate the binding effect of any digital or other electronic
reproduction of a manual signature that is included in any attachment.

>