Login   |   Secure Purdue > News

NTP Amplification Attacks

STEAM-ADVISORY NO. 2014022001
PURDUE UNIVERSITY SECURITY STEAM-CIRT
Thursday, February 20, 2014 12:15:00 EDT

==OVERVIEW==

We have received several external notices of open NTP servers that
answer to get monlists requests on the Purdue network. These servers
can be used to attack other organizations through Distributed Denial
of Service attacks (DDoS). This type of attack is known as NTP
Amplification. To prevent the Purdue network from being a launch point
for devastating attacks across the Internet, we ask that you review
your NTP configuration update to a non-vulnerable solution or disable
the monlist functionality.

==SYSTEMS AFFECTED==

Open NTP servers using monlist and running ntpd service older than 4.2.7.

==DETAILS==

Open NTP services with monlist enabled can be abused to conduct
Distributed Denial of Service (DDoS) attacks towards web sites,
servers, and services. These attacks can deny legitimate service to
authorized users as well as cause performance side-effects for smaller
networks. This type of attack is known as an NTP amplification
attack. A small, spoofed NTP request can generate a large response
sent to the target. As more illegitimate requests are made, the
target is quickly overwhelmed resulting in a denial of service.

A misconfigured NTP server can be used to participate in DDoS attacks.
This means that NTP servers in your domain that respond to the "get
monlist" command can be used to attack other systems here at Purdue
and across the Internet. In addition to attacking remote systems, the
traffic generated by NTP amplification attacks can saturate local
networks and degrade performance for your local network and the entire
campus. Attacks originating from the Purdue network can lead to
subnet blacklisting and harm to Purdue's reputation.

==SOLUTIONS==

- Upgrade ntpd to at least 4.2.7 -OR-
- disable monlist functionality by by adding "disable monitor" to your
/etc/ntp.conf file

Additionally, you can restrict who the NTP is open for by
adjusting the NTP config. Also, if you have an NTP client, you can
make sure that it is not listening on port 123.

The following URL provides some helpful
information to provide such changes:
team-cymru . org /ReadingRoom/Templates/secure-ntp-template.html

==VERIFICATION==

The Nmap network mapping tool can be used to verify that the NTP
server is not vulnerable to DDoS attacks using monlists. Use the
following commands, replacing <IP> with the IP address of the NTP
server, to verify that it no longer responds to monlist queries:

$ nmap -sT -sU -p 123 -Pn --script=ntp-monlist <IP>

==FURTHER INFORMATION AND RESOURCES==

us-cert . gov /ncas/alerts/TA14-013A
team-cymru . org /ReadingRoom/Templates/secure-ntp-template.html
nmap . org
(copy and paste, then remove spaces)

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
purdue . edu /securePurdue/incidentReportForm.cfm
purdue . edu /securepurdue/steam
(copy and paste, then remove spaces)

Posted by ITSP on February 20, 2014, in Advisory Alerts.