Vulnerability of NTP

Robert Seastrom rs at seastrom.com
Wed Feb 26 19:21:29 CST 2014


On Feb 25, 2014, at 11:50 PM, Andre Kesteloot <andre.kesteloot at verizon.net> wrote:

>> http://www.bbc.co.uk/news/technology-26136774 

The article kind of misses the point, that it's not NTP or open servers that's the problem; it's amplification potential - send a tiny packet, get a huge amount of data back.  Combine this with easy ability to spoof packets and you have a huge problem.

Yes, we've been calling for blocking of spoofed packets on edge networks for ages.  Not widely enough deployed.

The details here are that there is a command ("monlist") that will dump out a huge amount of information about every other NTP speaker that the server has ever talked to.  Amplification factors on the order of 3000x have been seen in the wild, handily eclipsing the amplification factors often seen with DNS (also a problem).

400 GBit/sec reflection attacks are no joke, and even having a couple of vulnerable servers on your network participating as part of an attack on someone else can be plenty annoying (I've been involved in mitigation exercises for five different networks in the past ten weeks - only one of which is my day job).

More at:

http://www.kb.cert.org/vuls/id/348126
and
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211

I'm a bit amused that the CERT folks seem to have not gotten the memo that term of art is 'reflection/amplification attack', not "DRDOS" which is marketing-speak...

-r








More information about the Tacos mailing list