NTP Amplification Attack
The US Computer Emergency Readiness Team (US-CERT) has released an alert for an NTP amplification attack affecting NTP daemon (ntpd) version 4.2.7 and earlier versions. The attack exploits a flaw in the monlist feature, which provides remote monitoring NTP-capable devices (CVE-2013-5211). According to the alert, the "get monlist" command "...causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim....Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of data directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks."
This attack is especially significant because the nature of NTP means that many servers still operate on the public Internet. The recommended solution is to upgrade to a version of ntpd later than 4.2.7. If an upgrade is not possible, the alert gives instructions for how to disable monlist functionality for public-facing servers.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.