NTP Mode 6 Vulnerabilities
Table of Contents
NTP services which respond to “Mode 6” queries are inherently vulnerable to amplification attacks. Amplification attacks occur when an attacker can use a small amount of network resources to consume an exponentially larger amount of resources on the victim network. Two common Mode 6 vulnerabilities exist:
- Mode 6 Amplification Attacks
- Mode 6 Information Disclosure
Mode 6 Amplification Attacks
Mode 6 allows a client to use a small query to cause the server to respond with a large response. Now this behavior is not something especially abnormal. After all, web clients do this all the time. But NTP communicates over UDP, not TCP.
Since UDP is a stateless protocol, packets can easily be forged. The behavior above becomes considerably more impactful if multiple hosts spoofed Mode 6 packets with the IP of a victim. In such a scenario, it wouldn’t take much resources to substantially amplify network resources and direct it to a victim IP.
Mode 6 Information Disclosure
Mode 6 queries can often be used to obtain system information such as system and kernel versions.
Network Time Protocol (NTP) Mode 6 Scanner
Vulnerability scanners will often raise this issue as medium risk. We agree with this assessment, with the exception of internal networks. Since the likelihood of exploitation on an internal network declines significantly, we rate this issue as low risk on internal networks.
The vulnerability can confirmed with the following nmap command:
$ sudo nmap -Pn -sU -p123 --script ntp-info –n {host}
An example response should be received:
PORT STATE SERVICE
123/udp open ntp
| ntp-info:
| receive time stamp: 2021-06-10T16:34:52
| version: ntpd 4.2.6p2@1.2194 Mon Jun 24 12:37:15 UTC 2013 (79)
| processor: x86_64
| system: Linux/2.6.99.99
| leap: 3
| stratum: 16
| precision: -21
| rootdelay: 0.000
| rootdispersion: 3286057.565
| peer: 0
| refid: INIT
| reftime: 0x00000000.00000000
| poll: 3
| clock: 0xe3c51e85.3c189ffa
| offset: 0.000
| frequency: 0.000
| noise: 0.000
| jitter: 0.000
|_ stability: 0.000\x0D
Service Info: OS: Linux/2.6.99.99
Remediation of Mode 6 Vulnerabilities
The easiest and most common way to remediate this issue is by firewalling NTP. Unless you require external clients to use the NTP service from the public internet, it is best to restrict the attack surface completely and firewall or disable the service completely.
NTP on IOS
When enabling NTP on IOS, by default the NTP server is also enabled on all interfaces.
Solution 1: Disable NTP Completely
To disable NTP completely, the following command can be used:
disable ntp
Solution 2: Restrict NTP via Access Controls
ntp access-group { access-list-number | access-list-number-expanded | access-list-name }
References
The full NTP Mode 6 specification can be found here: https://docs.ntpsec.org/latest/mode6.html