ADVISORY: Preventing NTP Amplification Attacks
Wednesday, January 29, 2014
This message was sent to the IT Security via email on January 29, 2014.
There has been an increase over the last month in use of Network Time Protocol (NTP) for denial of service attacks. There is a command you can issue to test the vulnerability of your systems and an update you can make to eliminate the vulnerability. If you are responsible for systems that use NTP, please take action as described below.
Attackers are using vulnerable NTP servers that are exposed to the Internet to perform denial of service attacks. U-M systems have been involved in several recent attacks.
This vulnerability is being actively exploited to perform denial of service attacks.
Any NTP service that allows remote monitoring commands, such as monlist, from the Internet. This includes versions of the Network Time Protocol daemon (ntpd) prior to 4.2.7, as well as other implementations of NTP such as those in Cisco IOS and Juniper JUNOS.
It is possible to detect vulnerable systems using the ntp-monlist NSE script for NMAP (see the references section below for more information). It is also possible to use the ntpdc command to test
ntpdc -n -c monlist [IP ADDRESS]
If you get a response to the query, the system is vulnerable and can be
abused to perform attacks.
In addition, IIA's quarterly vulnerability scan will include detection of vulnerable systems. The next scan will be done in late February. If you receive vulnerability scan results for your unit, please check for and fix vulnerable NTP services.
For all systems that are running ntpd, update to at least version 4.2.7p26, if possible. If that is not possible, add the noquerydirective to the restrict default lines in the system's ntp.conf, as shown below:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
For other implementations of NTP, additional information may be available in the references below or from vendors.
ITS will provide support to any MiWorkspace unit with affected systems.
Attackers issue NTP queries with spoofed source addresses to direct the NTP server's response to their intended target. Some queries produce significantly more output than is needed to initiate the query, so attackers take advantage of this network traffic amplification. Attackers frequently use the monlist command because it can generate a large response to a small query.
Questions, Concerns, Reports
Please contact [email protected].