简介 |
Network Time Protocol(NTP)是用来使计算机时间同步化的一种协议,它可以使计算机对其服务器或时钟源(如石英钟,GPS等等)做同步化,它可以提供高精准度的时间校正(LAN上与标准间差小于1毫秒,WAN上几十毫秒),且可介由加密确认的方式来防止恶毒的协议攻击。 |
网络时间协议(NTP)是一种通过因特网服务于计算机时钟的同步时间协议。它提供了一种同步时间机制,能在庞大而复杂多样因特网中用光速调整时间分配。它使用的是可返回时间设计方案,其特点是:时间服务器是一种分布式子网,能自我组织操作、分层管理配置,经过有线或无线方式同步逻辑时钟达到国家标准时间。此外,通过本地路由选择运算法则及时间后台程序,服务器可以重新分配标准时间。 |
协议 |
| http://www.ntp.org/rfc.html http://www.ietf.org/rfc/rfc5905.txt |
探测 |
ntpdc –n –c monlist 127.0.0.1 |
| root@unix:~# ntpdc -n -c monlist 192.168.0.69 remote address port local address count m ver rstr avgint lstint =============================================================================== 192.168.0.118 36150 192.168.0.69 20 7 2 0 623 0 192.9.168.231 123 192.168.0.69 168 4 4 0 366 4 192.168.0.119 31948 192.168.0.69 24 7 2 0 412 6141 |
nmap -sU -p 123 -Pn -n --script ntp-info <target> |
| -- PORT STATE SERVICE VERSION -- 123/udp open ntp NTP v4 -- | ntp-info: -- | receive time stamp: Sat Dec 12 16:22:41 2009 -- | version: ntpd 4.2.4p4@1.1520-o Wed May 13 21:06:31 UTC 2009 (1) -- | processor: x86_64 -- | system: Linux/2.6.24-24-server -- | stratum: 2 -- |_ refid: 195.145.119.188 |
nmap -sU -p 123 -Pn -n --script ntp-monlist <target> |
| -- PORT STATE SERVICE REASON -- 123/udp open ntp udp-response -- | ntp-monlist: -- | Target is synchronised with 127.127.38.0 (reference clock) -- | Alternative Target Interfaces: -- | 10.17.4.20 -- | Private Servers (0) -- | Public Servers (0) -- | Private Peers (0) -- | Public Peers (0) -- | Private Clients (2) -- | 10.20.8.69 169.254.138.63 -- | Public Clients (597) -- | 4.79.17.248 68.70.72.194 74.247.37.194 99.190.119.152 -- | ... -- | 12.10.160.20 68.80.36.133 75.1.39.42 108.7.58.118 -- | 68.56.205.98 -- | 2001:1400:0:0:0:0:0:1 2001:16d8:dd00:38:0:0:0:2 -- | 2002:db5a:bccd:1:21d:e0ff:feb7:b96f 2002:b6ef:81c4:0:0:1145:59c5:3682 -- | Other Associations (1) -- |_ 127.0.0.1 seen 1949869 times. last tx was unicast v2 mode 7 |
metasploit ---- auxiliary/scanner/ntp/ntp_readvar |
| msf > use auxiliary/scanner/ntp/ntp_readvar msf auxiliary(ntp_readvar) > show options Module options (auxiliary/scanner/ntp/ntp_readvar): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target address range or CIDR identifier RPORT 123 yes The target port THREADS 1 yes The number of concurrent threads msf auxiliary(ntp_readvar) > set RHOSTS 192.168.0.69 RHOSTS => 192.168.0.69 msf auxiliary(ntp_readvar) > run [*] Connecting target 192.168.0.69:123... [*] Sending command [+] 192.168.0.69:123 - version="ntpd 4.2.4p3@1.1502-o Wed Dec 7 20:58:58 UTC 2011 (1)" [+] 192.168.0.69:123 - processor="x86_64" [+] 192.168.0.69:123 - system="Linux/2.6.16.60-0.21-smp" [+] 192.168.0.69:123 - leap=0 [+] 192.168.0.69:123 - stratum=10 [+] 192.168.0.69:123 - precision=-20 [+] 192.168.0.69:123 - rootdelay=0.558 [+] 192.168.0.69:123 - rootdispersion=34.842 [+] 192.168.0.69:123 - peer=33586 [+] 192.168.0.69:123 - refid=192.9.168.231 [+] 192.168.0.69:123 - reftime=0xd7b130fa.032f3c9d [+] 192.168.0.69:123 - poll=9 [+] 192.168.0.69:123 - clock=0xd7b1345c.c1cc6299 [+] 192.168.0.69:123 - state=4 [+] 192.168.0.69:123 - offset=-0.384 [+] 192.168.0.69:123 - frequency=20.120 [+] 192.168.0.69:123 - jitter=0.036 [+] 192.168.0.69:123 - noise=0.143 [+] 192.168.0.69:123 - stability=0.010 [+] 192.168.0.69:123 - tai=0 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
攻击类型 |
反射型DDOS攻击,主要由两个过程组成: |
反射 |
NTP是基于UDP协议。UDP通讯过程中,客户端发送请求包到服务端,服务端返回响应到客户端。由于UDP协议面向无连接,客户端可伪造客户端源IP,将IP地址指定为受害者IP,NTP服务器返回的数据包会发送给受害者。 |
放大 |
客户端发送一个NTP请求后,会收到一个或多个响应包。 |
防御 |
|
推荐链接:
NTP reflection attack
https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
NTP Reply Flood Attack (NTP反射型DDos攻击)
http://www.cnblogs.com/cnsanshao/p/3518211.html
浅谈基于 NTP 的反射和放大攻击
http://www.2cto.com/Article/201402/278775.html
public ntp time server for everyone
http://www.pool.ntp.org/en/
版权声明:本文为u011130746原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。