JPCERT-AT-2014-0001
JPCERT/CC
2014-01-15
<<< JPCERT/CC Alert 2014-01-15 >>>
Alert regarding DDoS attacks leveraging the monlist function in ntpd
https://www.jpcert.or.jp/english/at/2014/at140001.html
I. Overview
Older versions of ntpd provided by the NTP project contain a function
(monlist) to check on the status of the NTP server. This function may be
leveraged by remote attackers for conducting DDoS attacks.
NTP typically communicates using UDP, so it is relatively easy to
spoof the source IP address. In addition, the monlist function replies
with a fairly large sized response to the source IP address for requests
to the server. This behavior may allow an attacker to send a request
packet to a NTP server spoofing the target (source) IP address so that
the large sized data (response) is sent to the target (Web Site, etc.).
JPCERT/CC has received reports regarding DDoS attacks leveraging the
monlist function in ntpd. Also, based on data collected by the internet
traffic monitoring system (TSUBAME *1) run by JPCERT/CC, an increase in
packets searching for NTP servers has been observed and believe that
these attacks may continue.
* 1 The name of the Asia / Pacific internet traffic monitoring system
https://www.jpcert.or.jp/tsubame/
Servers or network devices you manage that implement functionality
for a NTP server may be leveraged for a DDoS attack without your knowledge. We
recommend to check servers and network devices that you manage to see if ntpd
is running, and if so, configure them properly.
II. Affected versions
According to the information provided by the NTP Project, the following
versions are affected.
ntpd versions prior to 4.2.7p26
*) Production versions of 4.2.6.x are all affected
The following command will allow you to verify the ntpd version that is running:
ntpq -c rv
III. Solution
The NTP Project has released a Development version of ntpd that fixes a
part of the monlist function to reduce the probability of a DDoS attack. If you
are running a publicly accessible NTP server using ntpd, please consider updating
to a development version that addresses this issue.
The version that addresses this issue is as follows:
ntpd 4.2.7p26 (Development)
If you are not able to upgrade to a Development version, please
consider the following workarounds.
- Configure ntpd so that the monlist function is disabled
Add the following line to ntp.conf
disable monitor
For information on other workarounds, please refer to the information provided
by CERT/CC
CERT/CC Vulnerability Note VU#348126
NTP can be abused to amplify denial-of-service attack traffic
https://www.kb.cert.org/vuls/id/348126
If you are using a version of ntpd provided by a distributor, please
refer to the information provided by the distributor.
Also, if it is unnecessary to provide external access to the NTP service,
please consider restricting access to the NTP server.
IV. References
NTP Project
DRDoS / Amplification Attack using ntpdc monlist command
http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
CERT/CC Vulnerability Note VU#348126
NTP can be abused to amplify denial-of-service attack traffic
https://www.kb.cert.org/vuls/id/348126
NetBSD
NetBSD Security Advisory 2014-002
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-002.txt.asc
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top