Attack with your time server: NTP amplification attack (CVE-2013-5211)
January 13 US Emergency Readiness Computer Team (US-CERT) has issued a warning about a new method of DDoS attacks. Infected computers send a monlist request with a fake IP address of the sender to the NTP server. The monlist request returns a list of the last 600 ntpd clients. Thus, a small UDP stream is sent by a small request from the infected computer to the victim. This is the essence of amplification.
An unprotected NTP server becomes an unwitting intermediate attacker.
Ntpd versions up to 4.2.7p26 (stable now 4.2.6p5) are subject to attack.
You can check your server for vulnerability by running the command
1) Update ntpd to version 4.2.7p26. On FreeBSD, upgrade the ports and install ntpd from net / ntp-devel.
')
Without updating you can:
2) Disable monlist in ntp.conf by adding the line
3) Or disable any server status requests in restrict default
Perhaps you did not know at all that your NTP server is visible outside (- :. Then disable access to it completely.
I ran into this problem in November, when NTP traffic on my public NTP stratum1.net became 30GB per hour. I noticed it not immediately, because even on an Atom processor, the load was less than 5%. Then I wrote a bash script that looked at the statistics of the boundary firewall for the last half hour (via netflow ) and automatically added the deny rule for very active clients. And after two months it became clear that it was.
support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
www.kb.cert.org/vuls/id/348126
www.opennet.ru/opennews/art.shtml?num=38855
PS In a recent topic , a special case of vmware esxi attack was described.
An unprotected NTP server becomes an unwitting intermediate attacker.
Ntpd versions up to 4.2.7p26 (stable now 4.2.6p5) are subject to attack.
You can check your server for vulnerability by running the command
ntpdc -c monlist _ Elimination
At least 3 ways:1) Update ntpd to version 4.2.7p26. On FreeBSD, upgrade the ports and install ntpd from net / ntp-devel.
')
Without updating you can:
2) Disable monlist in ntp.conf by adding the line
disable monitor 3) Or disable any server status requests in restrict default
restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery Perhaps you did not know at all that your NTP server is visible outside (- :. Then disable access to it completely.
I ran into this problem in November, when NTP traffic on my public NTP stratum1.net became 30GB per hour. I noticed it not immediately, because even on an Atom processor, the load was less than 5%. Then I wrote a bash script that looked at the statistics of the boundary firewall for the last half hour (via netflow ) and automatically added the deny rule for very active clients. And after two months it became clear that it was.
Sources:
support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using
www.kb.cert.org/vuls/id/348126
www.opennet.ru/opennews/art.shtml?num=38855
PS In a recent topic , a special case of vmware esxi attack was described.
Source: https://habr.com/ru/post/209438/
All Articles