NTP has been an interesting protocol for a while, I remember first hearing about the reflection attack 4 years ago when HD Moore unveiled some very clever research in how the “monlist” command could be used for various purposes. The gist is that a small packet can cause the NTP service to return a potentially large list of IPs, using the “monlist” command, that it has recently interacted with. And it looks like the protocol has made waves again recently when people started to actually use the “monlist” command in a reflection attack, effectively creating a DDoS. It’s interesting that it’s taken nearly 4 years to take it from HD Moore’s original research to publicly aware DDoS method. Have the attackers not needed a new method until recently, did their tools lag or have people simply not detected that this has been going on for a while? I’m not sure what the answer is and I’d be interested to hear whether others know more about this.
NTP Meet Shodan
To learn more about NTP and how widely deployed it is across the Internet, I’ve added the NTP service to the list of ports that Shodan surveys. So far, Shodan has identified more than 1 million devices that are running NTP on the Internet. And along with adding the service, I’m also making available a variety of new filters and facets. These are currently only accessible via the Shodan API (and any tools using the new API), but the filters will be rolled out to the main website very soon.
Search the initial list of IPs that the monlist command returned.
The number of IPs that the initial monlist command returned.
The ports that the listed IPs used to connect to the NTP server.
true or false – Whether or not there was more data to be read (i.e. more than the initial list of values).
NTP Is Everywhere
Somewhat unsurprisingly, the amount of NTP servers is fairly uniformly distributed across the globe:
The exact breakdown is as follows (facet on country:10):
It’s interesting that South Korea has a disproportionate amount of NTP servers, but otherwise I’d say the numbers and global distribution look fine.
Watching the Watchers
An interesting side-effect of the “monlist” command is that doing the survey on the entire Internet reveals patterns within the IP lists themselves. For example, faceting on ntp.ip reveals that there are a few standout IPs that get returned by a lot of NTP servers. These top IPs are most likely scanning the Internet for NTP. The majority of the top IPs have websites setup that indicate they’re doing research on the NTP DDoS reflection/ amplification attack, but the #1 IP that is crawling for NTP servers is from China and doesn’t have any research website available or indicative hostname. The IP is “126.96.36.199” and historically it had an HTTP and FTP server running on it, though they aren’t available anymore (perhaps dynamic IP range). If anybody finds out more about that IP and whether or not it’s another research project, please let me know.
The default response packet for the “monlist” command returns up to 6 IPs. If the packet has the “more” flag set to true, then you can listen for more results until you have the entire list of IPs the NTP daemon stores. So how many of these NTP servers are very active and have more than just 6 IPs in their list? Lets first take a look at the general distribution of the number of IPs that are returned by NTP (facet on ntp.ip_count):
The absolute numbers of the chart don’t reflect all the data that’s stored in Shodan because the facets are still being processed. And among all of the NTP servers found in Shodan that properly responded to the “monlist” command, this is how many had more than 6 IPs available to return (facet on ntp.more):
Note that for these charts NTP servers that returned errors weren’t included. If the servers with errors were included, then there would be ~13.5% with more data. I.e. out of all NTP servers on the Internet, including ones that didn’t respond properly to the “monlist” command for various reasons, ~13.5% of the devices returned more than 6 IP addresses.
The IPs returned by “monlist” aren’t limited to publicly accessible IP addresses, they can also include information about the local, private network! Below is a chart breaking down how many NTP devices at the moment are exposing 1 or more private IP address:
At the time of writing, there are nearly 10,000 NTP servers that list a private IP on the 10.0.0.0/8 netblock in their response, and another ~7,000 devices that list an address in the 192.168.0.0/16 IP range. Of note is also that a few devices (4,345) even include their loopback IP in the response.
All the data is readily searchable via Shodan, so if you want to keep track of these stats and more just grab a free API key to get started. There’s also an updated Python library that exposes all of the facets, including the new NTP-related ones (stay tuned for more info on the API). There’s a lot more cool stuff that can be done with NTP and it’ll be exciting to see what further research into this area discovers!