This page has been robot translated, sorry for typos if any. Original content here.

Attack with your time server: NTP amplification attack (CVE-2013-5211)

Атака с помощью вашего сервера времени: NTP amplification attack (CVE-2013-5211)

On January 13, the US Emergency Command Computer (US-CERT) issued a warning about a new method of DDoS attacks.

Infected computers send a monlist request with a forged IP address of the sender to the NTP server.

The query monlist returns a list of the last 600 ntpd clients.

Thus, a small request from the infected computer to the victim sends a large stream of UDP.

This is the essence of amplification.


An unprotected NTP server becomes an unwitting intermediary of the attack.

Attacks are subject to versions of ntpd to 4.2.7p26 (stable now 4.2.6p5).


Check your server for the vulnerability by running the following command:

ntpdc -c monlist адрес_сервера

If the command lists the clients (and not "timed out, nothing received"), then the system is vulnerable.

Elimination

Now there are at least 3 ways:

  • 1) Update ntpd to version 4.2.7p26. In FreeBSD, update the ports and install ntpd from net / ntp-devel.

Without an upgrade, you can:

  • 2) Disable the monlist in ntp.conf by adding the line disable monitor
  • 3) Or disable any server status queries by restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery
    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery


Perhaps you did not know at all that your NTP server is visible outside (- :.

Then disable access to it completely.


I ran into this problem back in November, when NTP traffic on my public NTP stratum1.net became 30GB per hour.

I noticed this not immediately, tk. even on the Atom processor, the load was less than 5%.

Then I wrote a bash script that looked at the traffic statistics of the boundary firewall in the last half hour (via netflow) and automatically added a deny rule for too active clients. And in two months it became clear what it was.

Sources:

support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using

www.kb.cert.org/vuls/id/348126

www.opennet.ru/opennews/art.shtml?num=38855