[BlueOnyx:14260] Another DDOS vulnerability: NTP Amplification Attacks

George F. Nemeyer tigerwolf at tigerden.com
Tue Jan 14 10:39:48 -05 2014 

This attack is similar in concept to DNS query attacks BX recently dealt
with, but now being directed at NTP servers.

Please see the CERT advisory below which gives a more complete picture.
Ways to check your servers are included, as well as suggested upgrade NTP
version and ways to block attacks on non-upgradable systems are included.

This needs to be a high-priority check/fix on BX systems to stop servers
being exploited for attacks.

Like with DNS, a software update push may be appropriate.


---------- Forwarded message ----------
Subject: TA14-013A: NTP Amplification Attacks Using CVE-2013-5211
Date: Tue, 14 Jan 2014 09:10:48 -0600
From: "US-CERT" <US-CERT at ncas.us-cert.gov>

NCCIC / US-CERT

National Cyber Awareness System:

TA14-013A: NTP Amplification Attacks Using CVE-2013-5211
[https://www.us-cert.gov/ncas/alerts/TA14-013A ] 01/13/2014 05:51 PM EST
Original release date: January 13, 2014 | Last revised: January 14, 2014

Systems Affected

NTP servers

Overview

A Network Time Protocol (NTP) Amplification attack is an emerging form of
Distributed Denial of Service (DDoS) that relies on the use of publically
accessible NTP servers to overwhelm a victim system with UDP traffic.

Description

The NTP service supports a monitoring service that allows administrators
to query the server for traffic counts of connected clients. This informa=
tion is provided via the monlist command. The basic attack technique
consists of an attacker sending a "get monlist" request to = a vulnerable
NTP server, with the source address spoofed to be the victim address.

Impact

The attack relies on the exploitation of the 'monlist' feature of NTP, as
described in CVE-2013-5211, which is enabled by default on older
NTP-capable devices. This command causes a list of the last 600 IP
addresses which connected to the NTP server to be sent to the victim. Due
to the spoof= ed source address, when the NTP server sends the response it
is sent instead to the victim. Because the size of the response is
typically considerably larger than the request, the attacker is able to
amplify the volume of traffic directed at the victim. Additionally,
because the responses are legitimate data coming from valid servers, it is
especially difficult to block these types of attacks. The solution is to
disable monlist within the NTP server or to upgrade to the latest version
of NTP (4.2.7) which disables the monlist functionality.

Solution

*Detection*

On a UNIX-platform, the command will query existi= ng NTP servers for
monitoring data. If the system is vulnerable to exploitation, it will
respond to the monlist command in interactive mode. By default, most
modern UNIX and Linux distributions allow this command to be used from
localhost, but not from a remote host. To test for monlist support,
execute the following command at the command line:

/usr/sbin/ntpdc <remote server>

monlist

Additionally, the ntp-monlist script is available for NMap, which will
automatically display the results of the monlist command. If the system
does not support the monitor query, and is therefore not vulnerable to
this attack type, NMap will return an error type 4 (No Data Available) or
no reply at all.


*Recommended Course of Action*

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the
simplest recommended course of action is to upgrade all versions of ntpd
that are publically accessible to at least 4.2.7. However, in cases where
it is not possible to upgrade the version of the service, it is possible
to disable the monitor functionality in earlier versions of the software.

To disable monlist functionality on a public-facing NTP server that cannot
be updated to 4.2.7, add the noquery directive to the restrict default
line in the system ntp.conf, as shown below:

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

References

  * Vulnerability Summary for CVE-2013-5211
     [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2013-5211 ]
  * NTP Software Downloads [ http://www.ntp.org/downloads.html ]
  * ntp-monlist NSE Script [ http://nmap.org/nsedoc/scripts/ntp-monlist.h=
tml ]

Revision History

  * January 13, 2014 - Initial Release
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cer
t.gov/privacy/notification ] and this Privacy & Use [
http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] |
Security Publications [ http://www.us-cert.gov/security-publications ] |
Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [
http://www.us-cert.gov/related-resources ]

STAY CONNECTED: Sign up for email updates [
http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]

More information about the Blueonyx mailing list