NTP Reflection Attack?

salnz · March 11, 2021, 4:34am

Yesterday I installed Hestia 1.3.3 on a dedicated server running a fresh install of Ubuntu 20.0.4 and within a few hours of install of Hestia the IP was nullrouted by the DC 3 times. At the time I was completing the setup and then about to secure the server.

The DC suspects it is a NTP Reflection Attack.

Attack 1- 161 IP’s
UDP ports 0, 22

Attack 2 - 175 IP’s
UDP 63207, 11655, ICMP Port 3

Attack 3 - 211 Ip’s
UDP 63207, 11655

I reinstalled the server and no more attacks. Hestia is not installed again yet, those ports had not been opened up.

Check if your server is vulnerable
Log onto your server via SSH as the root user and enter the following command replacing yourserverip with the IP of your server.

ntpdc -n -c monlist yourserverip

For those who have not secured ntp there are instructions HERE to secure

eris · March 13, 2021, 11:15am

We don’t install ntp any more:

github.com

hestiacp/hestiacp/blob/6292b47ec05130951d39466058c25f981fb7c2a8/install/hst-install-ubuntu.sh#L909-L912


# Configuring NTP
sed -i 's/#NTP=/NTP=pool.ntp.org/' /etc/systemd/timesyncd.conf
systemctl enable systemd-timesyncd
systemctl start systemd-timesyncd

root@dev:~# ntpdc -n -c monlist 168.xx.xxx.xx

168.xx.xxx.xx: timed out, nothing received

***Request timed out

root@dev:~#

Lupu · March 13, 2021, 4:00pm

Vulnerable to what?

Most likely you missunderstood the report from your datacenter but without reading it myself I can’t be 100% sure.

But from the terminology used in the original post, it looks like your server was target of a ddos coming from 500 hosts in form of a volumetric udp amplification attack. And in this case there is nothing you can do on your server to stop it, so the DC is forced to nullroute incoming traffic destined to your server ip.

Lupu · March 13, 2021, 4:09pm

Also there is nothing wrong in running NTP on Hestia (although it isn’t installed by default ) as the default firewall is not accepting traffic on UDP port 123

You can review the list of allowed ports here:

github.com

hestiacp/hestiacp/blob/main/install/deb/firewall/rules.conf

RULE='1' ACTION='ACCEPT' PROTOCOL='ICMP' PORT='0' IP='0.0.0.0/0' COMMENT='PING' SUSPENDED='no' TIME='17:13:48' DATE='2014-09-16'
RULE='2' ACTION='ACCEPT' PROTOCOL='TCP' PORT='8083' IP='0.0.0.0/0' COMMENT='HESTIA' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='3' ACTION='ACCEPT' PROTOCOL='TCP' PORT='143,993' IP='0.0.0.0/0' COMMENT='IMAP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='4' ACTION='ACCEPT' PROTOCOL='TCP' PORT='110,995' IP='0.0.0.0/0' COMMENT='POP3' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='5' ACTION='ACCEPT' PROTOCOL='TCP' PORT='25,465,587' IP='0.0.0.0/0' COMMENT='SMTP' SUSPENDED='no' TIME='21:47:04' DATE='2018-11-07'
RULE='6' ACTION='ACCEPT' PROTOCOL='TCP' PORT='53' IP='0.0.0.0/0' COMMENT='DNS' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='7' ACTION='ACCEPT' PROTOCOL='UDP' PORT='53' IP='0.0.0.0/0' COMMENT='DNS' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='8' ACTION='ACCEPT' PROTOCOL='TCP' PORT='21,12000-12100' IP='0.0.0.0/0' COMMENT='FTP' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'
RULE='9' ACTION='ACCEPT' PROTOCOL='TCP' PORT='80,443' IP='0.0.0.0/0' COMMENT='WEB' SUSPENDED='no' TIME='17:04:27' DATE='2014-09-24'
RULE='10' ACTION='ACCEPT' PROTOCOL='TCP' PORT='22' IP='0.0.0.0/0' COMMENT='SSH' SUSPENDED='no' TIME='17:14:41' DATE='2014-09-16'

falzo · March 13, 2021, 4:47pm

what does that even mean? incoming? outgoing?
why should that relate to ntpd (Port 123 and none of the above)?
did you install ubuntu from a template of the provider or via ISO?

sorry to say, but if you believe this to be an issue with HestiaCP then you might assume wrongly to be safe now.

as others pointed out even if you were to run ntpd, iptables is set to DROP everything by default and only allows a very small set of services. ntpd/123 udp is not part of that list (and never has been).

so unless something else opened these ports to send something out it much more likely is the case, that this ‘attack’ was incoming from whatever ‘enemy’. and while it probably never even reached your server the DC decided to nullroute the IP to not have to deal with the ddos on the level of your server/VM.
that’s totally normal on how provider without dedicated DDOS protection act on incoming attacks.

and for sure that is no vulnerability in anything. could be you just took over a IP from someone who ran a gameserver or voiceserver or whatever before and was a regular ddos target anyway.

TL;DR; uninstalling ntpd won’t change anything. running it on a normal hestia install without explicitly open the ports would still be safe.

system · April 12, 2021, 4:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.