Perform a NTP DDoS attack in your own virtual network. To attempt the attack, you should first try the Ping flooding DDoS attack like I covered in the lecture, setting up the eight nodes as per the ping attack instructions (the step of Ping to Entire Network using Directed Broadcast is not necessary). Then using the same nodes/setup, perform a NTP DDoS attack. Follow the NTP attack instructions to setup the NTP servers and start the attack with ntprepeat.
You must perform the attacks inside a virtual network using virtnet. You should already have this setup from previous homeworks. The attacks require 8 nodes, which may about 1.2GB of RAM. If your computer only has 2GB of RAM, then it may not be possible to create and run the 8 nodes. I suggest using a computer with at least 4GB of RAM. You may use the Network Lab computers which already have virtnet setup, so you should be able to immediately create the topology.
The NTP DDoS attack is an amplification attack. Therefore in your attack you should try to amplify the data sent to the target as much as possible within the given topology (that is, if the malicious node sends 10 kb/s but the target receives 50 kb/s, then the data has been amplified by a factor of 5). Don't use broadcast - use the ntprepeat script I provide.
Although you may discuss and work with others in understanding and setting up the attack, try to do the attack yourself. To measure how good the attack is, you need to measure the data being generated by the malicious node and the data arriving at the bottleneck link. Specifically, the incoming rate in kbit/sec to eth1 on node 2 and the incoming rate in kbit/sec to eth1 on node 7. You can measure these values by running iptraf on both node 2 and node 7 - select Detailed interface statistics and then interface eth1. Look at the Incoming rates value.
Two files are to be submitted:
1. A plain text file containing the following lines:
node2 incoming rate: X kbits/sec
node7 incoming rate: Y kbits/sec
average packet size sent: A bytes
average packet size received: B bytes
explanation:
...
followed by your explanation of how you achieved the amplification. The values of X and Y should be the typical/average values you achieved during the attack. The value of A is the size of the NTP request, while B is the size of the NTP message received by the target. (You can get the packet size from tcpdump capture or iptraf)
2. A single image (PNG or JPG) which is a screenshot showing iptraf running on both node 2 and node 7. The screenshot should be taken when the attack is running and should show the typical rates you observe during the attack (i.e. if the attack runs for 60 seconds, then take the screenshot after about 30 seconds). An example is below, where you can see iptraf running on both node 2 and node 7. Node 2 is receiving 15.0 kb/s from the malicious node, while node 7 is receiving 36.7 kb/s from reflectors to be sent to the target.
| Name | Send_kbps | Send_pps | Send_Bytes | Rcv_kbps | Rcv_pps | Rcv_Bytes | Amplification |
| Steve | 73.5 | 41.8 | 220 | 216.4 | 81.2 | 333 | 2.9 |
| Chawankorn | 73.4 | 39.2 | 234 | 160.7 | 49 | 410 | 2.2 |
| Duangporn | 72.6 | 38.8 | 234 | 151.2 | 39.2 | 482 | 2.1 |
| Nattapong | 73.4 | 39.2 | 234 | 151.2 | 39.2 | 482 | 2.1 |
| Supanuth | 73.4 | 39.2 | 234 | 151.2 | 39.2 | 482 | 2.1 |
| Thanawat | 71.9 | 38.4 | 234 | 138.1 | 49 | 352 | 1.9 |
| Manussawee | 72.3 | 38.6 | 234 | 131.1 | 53 | 309 | 1.8 |
| Nataya | 68.1 | 36.4 | 234 | 124.8 | 36.4 | 429 | 1.8 |
| Parptawan | 12 | 6.4 | 234 | 21 | 6.4 | 410 | 1.8 |
| Athisorn | 73.4 | 39.2 | 234 | 122.9 | 39.2 | 392 | 1.7 |
| Chanawat | 73 | 39 | 234 | 121.2 | 49 | 309 | 1.7 |
| Jaruwit | 92.9 | 49.6 | 234 | 153.4 | 62 | 309 | 1.7 |
| Jinnawat | 73.4 | 39.2 | 234 | 121.2 | 49 | 309 | 1.7 |
| Nuchsara | 73 | 39 | 234 | 120.7 | 48.4 | 312 | 1.7 |
| Panasarn | 73.4 | 39.2 | 234 | 124.3 | 48 | 324 | 1.7 |
| Purisaid | 73.4 | 39.2 | 234 | 121.2 | 49 | 309 | 1.7 |
| Chadchawin | 73.4 | 39.2 | 234 | 120.6 | 41.2 | 366 | 1.6 |
| Duangkamol | 37.1 | 19.8 | 234 | 59.3 | 19.8 | 374 | 1.6 |
| Napatsawan | 65.9 | 35.2 | 234 | 104.4 | 40.8 | 320 | 1.6 |
| Nichamon | 73.4 | 39.2 | 234 | 119.3 | 48.2 | 309 | 1.6 |
| Phenradee | 67.8 | 36.2 | 234 | 102.5 | 36 | 356 | 1.5 |
| Chonthicha | 73.4 | - | - | 100.4 | - | - | 1.4 |
| Penpitcha | 89.9 | 48 | 234 | 122.9 | 48 | 320 | 1.4 |
| Trongjai | 73.4 | 39.2 | 234 | 106 | 39.2 | 338 | 1.4 |
| Veeraya | 73.4 | 39.2 | 234 | 106 | 39.2 | 338 | 1.4 |
The Network Time Protocol (NTP) is used for computers to synchronise their clocks. The idea is that there are NTP servers available on a network with accurate clocks (they are accurate because they have syncrhonised with other accurate servers and/or they have their own highly accurate timing source, e.g. atomic clock). NTP clients, such as your desktop computer or laptop, exchange packets with an NTP server to synchronise the client clock with that of the server. There are many public NTP servers available in the Internet (e.g. the NTP Pool); they will respond to requests from almost any computer.
One feature of NTP is for a server to collect data about the other clients/servers it has recently been in contact with. Also clients can request this monitoring data from the server by sending a special MONLIST request to the NTP server. The server responds with the list of monitored data. The more other NTP instances the server has been in contact with, the longer the list. The maximum list length is 600 entries.
This feature of NTP involves a client sending a (small) request to the server, and the server sending a potentially large response. This feature can unfortunately be used for an amplification based DDoS attack. In this homework you combined the amplification attack with a reflector attack. The malicious computer (node1) sends MONLIST requests to multiple NTP servers (e.g. nodes 3, 4, 5 and 6). But a fake source address is used in the request - it is that of the target (node8), so each NTP server replies with a list to the target. This is an amplification attack because the responses sent to the target are larger than the requests sent by the malicious user. To increase the amplification factor, you need to increase the size of the monitor list that the server has. This can be achieved by getting other nodes to contact the NTP server before the attack takes place. In this homework we only have a limited number of nodes to deal with so it is difficult to get an amplification factor above 2 or 3. Note that using more reflectors does not change the amplification factor, nor does sending more requests per second. However more reflectors and/or higher request rate does allow the attacker to create traffic to overflow the bottleneck link capacity.
In January 2014 there were very large NTP amplification DDoS attacks in the Internet, taking down Steam and other game servers with 10's of gigabits per second of traffic. Since then the monitoring feature of NTP has been recommended to be disabled, so that NTP servers will not reply to requests for monitor lists, thereby making DDoS attacks with NTP much harder.