Build a trigger to monitor responses to NTP monlist requests
Machines in your environment synchronize clocks through the Network Time Protocol (NTP), but NTP has some security vulnerabilities such as amplification attacks that lead to denial of service.
For example, an attacker can spoof the IP address of your NTP server, and then repeatedly send a monlist command through the spoofed address. The monlist command requests a list of the last 600 hosts that connected to the NTP server, but because the requesting IP address is spoofed, the server actually sends the list to the spoofed address. The response is considerably larger than the request, and the spoofed client becomes overloaded, which can lead to denial of legitimate requests.
In this walkthrough, you will write a trigger that checks UDP traffic on your NTP server for responses to monlist commands. The trigger also sends an alert-level message to a remote syslog server when a monlist response occurs.
Prerequisites
- You must have access to an ExtraHop system with a user account that has unlimited privileges.
- Your must have at least one NTP server that you want to monitor.
- You must have a remote syslog server that can receive data from the ExtraHop system.
- You must have familiarity with JavaScript.
- Familiarize yourself with the concepts in this walkthrough by reading the Open Data Streams section in the ExtraHop Admin UI Guide and the Get started with triggers section in the ExtraHop System User Guide.
- Familiarize yourself with the processes of creating triggers and configuring open data streams by completing the Trigger Walkthrough and the ODS Walkthrough.
Configure an open data stream to a syslog target
In the following steps, you will configure the host, port, and protocol for the open data stream target.
Write a trigger to parse NTP payloads
In the following steps, you will write a trigger that specifies what data to examine from NTP server responses and whether to send the data to a remote syslog server.
Assign the UPA trigger to a device
Before the trigger can examine UDP response payloads, you must assign the trigger to at least one device. For this walkthrough, you will assign the trigger to NTP servers on your network.
Important: | Assign triggers only to the specific devices that you need to collect metrics from to minimize the performance impact of your triggers on the ExtraHop system. |
- Click Assets from the top menu.
- From the left pane, click Devices.
- In the Name column, locate at least one NTP server and select the checkbox.
- Click Assign Trigger at the top of the page.
- Click the checkbox next to the Parse UDP payload for NTP responses trigger, and then click Assign Triggers.
Check your syslog server and the debug log for trigger results
When a response to a monlist command is sent by the NTP server, the trigger sends an alert-level message to your remote syslog server. The message contains the IP address of the NTP server that sent the response, similar to the following message:
1 2017-01-11T22:14:15.003Z mymachine.example.com monlist enabled on 198.51.100.0
In addition, the trigger sends output to the debug log if debugging is enabled. To view the results of the debug statement, return to the Edit Trigger pane, click Edit Trigger Script, and click Debug Log. The output includes the IP address of the NTP server, the monlist request code, and the error code, similar to the following output:
NTP Server 198.51.100.0 responded to mode 7 command 42 with error code 0.
If the trigger results indicate that your NTP server has responded to a monlist command, you can take one of the following actions:
- Upgrade your NTP server to version 4.2.7 or later, which disallows monlist commands by default. Downloads are available from the NTP Software Downloads page at www.ntp.org.
- Modify the ntp.conf file on the NTP server to disable the monitoring function that allows monlist commands. Instructions are available on the Access Restrictions page at www.ntp.org.
- If your security and monitoring workflow requires that your NTP server responds to monlist commands, you can leverage this trigger to tighten controls around NTP responses. For example, you can create custom metrics based on information extracted with the trigger. With those custom metrics, you can create a dashboard to track NTP server activity or configure an alert that notifies you of responses to monlist commands.
If your NTP server is already configured to disallow monlist commands, you will not receive any syslog messages or see output in the debug log. You can still check that the trigger is running through one of the following actions:
- Return to the Edit Trigger pane and view the Capture Trigger Load chart. The graph shows activity as long as there is UDP traffic on the NTP server.
- View the Trigger Executes and Drops chart on the System Health dashboard. The chart shows activity that indicates the trigger is running.
- Test for monlist commands from the client-side. Modify the trigger by setting the buf variable to Flow.client.payload, and then send a monlist command through a program such as ntpdc to the NTP server. This code change in conjunction with the monlist command extracts the request payload and the trigger sends a message to syslog and shows results in the output log.
By running this trigger, you learn whether your NTP servers are vulnerable to amplification attacks and what you can do to either monitor for attacks or disable the NTP commands that open the door to attacks.
Thank you for your feedback. Can we contact you to ask follow up questions?