This page has been robot translated, sorry for typos if any. Original content here.

Attack with your time server: NTP amplification attack (CVE-2013-5211)

Атака с помощью вашего сервера времени: NTP amplification attack (CVE-2013-5211)

January 13 US Emergency Readiness Computer Team (US-CERT) has issued a warning about a new method of DDoS attacks.

Infected computers send a monlist request with a fake IP address of the sender to the NTP server.

The monlist request returns a list of the last 600 ntpd clients.

Thus, a small UDP stream is sent by a small request from the infected computer to the victim.

This is the essence of amplification.


An unprotected NTP server becomes an unwitting intermediate attacker.

Ntpd versions up to 4.2.7p26 (stable now 4.2.6p5) are subject to attack.


You can check your server for vulnerability by running the following command:

ntpdc -c monlist адрес_сервера

If the team issues a list of clients (and not “timed out, nothing received”), then the system is vulnerable.

Elimination

Now there are at least 3 ways:

  • 1) Update ntpd to version 4.2.7p26. On FreeBSD, upgrade the ports and install ntpd from net / ntp-devel.

Without updating you can:

  • 2) Disable monlist in ntp.conf by adding the line disable monitor
  • 3) Or disable any server status requests in restrict default restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery
    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery


Perhaps you didn’t know at all that your NTP server was visible outside (- :.

Then disable access to it completely.


I ran into this problem in November, when the NTP traffic on my public NTP stratum1.net became 30GB per hour.

I noticed it not immediately, because even on an Atom processor, the load was less than 5%.

Then I wrote a bash script that looked at the statistics of the boundary firewall for the last half hour (via netflow) and automatically added the deny rule for very active clients. And after two months it became clear that it was.

Sources:

support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using

www.kb.cert.org/vuls/id/348126

www.opennet.ru/opennews/art.shtml?num=38855