NTP Amplification Attack

By

New attack uses vulnerable NTP servers for denial of service.

The US Computer Emergency Readiness Team (US-CERT) has released an alert for an NTP amplification attack affecting NTP daemon (ntpd) version 4.2.7 and earlier versions. The attack exploits a flaw in the monlist feature, which provides remote monitoring NTP-capable devices (CVE-2013-5211). According to the alert, the "get monlist" command "...causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim....Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of data directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks."
This attack is especially significant because the nature of NTP means that many servers still operate on the public Internet. The recommended solution is to upgrade to a version of ntpd later than 4.2.7. If an upgrade is not possible, the alert gives instructions for how to disable monlist functionality for public-facing servers.

02/03/2014

Related content

comments powered by Disqus