Preventing NTP Amplification Attacks

This message was sent to the IT Security via email on January 29, 2014.

Summary

There has been an increase over the last month in use of Network Time Protocol (NTP) for denial of service attacks. There is a command you can issue to test the vulnerability of your systems and an update you can make to eliminate the vulnerability. If you are responsible for systems that use NTP, please take action as described below.

Problem

Attackers are using vulnerable NTP servers that are exposed to the Internet to perform denial of service attacks. U-M systems have been involved in several recent attacks.

Threats

This vulnerability is being actively exploited to perform denial of service attacks.

Affected Systems

Any NTP service that allows remote monitoring commands, such as monlist, from the Internet. This includes versions of the Network Time Protocol daemon (ntpd) prior to 4.2.7, as well as other implementations of NTP such as those in Cisco IOS and Juniper JUNOS.

Detection

It is possible to detect vulnerable systems using the ntp-monlist NSE script for NMAP (see the references section below for more information). It is also possible to use the ntpdc command to test
individual systems:

    ntpdc -n -c monlist [IP ADDRESS]

If you get a response to the query, the system is vulnerable and can be
abused to perform attacks.

In addition, IIA's quarterly vulnerability scan will include detection of vulnerable systems. The next scan will be done in late February. If you receive vulnerability scan results for your unit, please check for and fix vulnerable NTP services.

Action Items

For all systems that are running ntpd, update to at least version 4.2.7p26, if possible. If that is not possible, add the noquerydirective to the restrict default lines in the system's ntp.conf, as shown below:

    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery

For other implementations of NTP, additional information may be available in the references below or from vendors.

ITS will provide support to any MiWorkspace unit with affected systems.

Technical Details

Attackers issue NTP queries with spoofed source addresses to direct the NTP server's response to their intended target. Some queries produce significantly more output than is needed to initiate the query, so attackers take advantage of this network traffic amplification. Attackers frequently use the monlist command because it can generate a large response to a small query.

Questions, Concerns, Reports

Please contact [email protected].