All Posts

2 posts

How to detect NTP Amplification DoS Attacks

The ntpd program is an operating system daemon that sets and maintains the system time in synchronization with Internet standard time servers. As described in CVE-2013-5211, a denial of service condition can be caused by the use of the "monlist" feature, which is enabled by default on most NTP servers. NTP runs over UDP port 123, and since it’s on a UDP port, the source address can be spoofed easily.

Continue reading …

Detect NTP Amplification Flaws

Update 2: Cloudflare just published an interesting piece on the latest attack that they have been exposed to, which peaked at 400 Gbps. It is amazing that only 4529 NTP servers can generate 400 Gbps traffic. It that sense NTP is a better amplifier than DNS, where 30,956 servers were needed for a 300 Gbps attack. Paul Vixie from Farsight Security explains how to solve the problem at least theoretically, but  he believes the incentives to do it are just not there as the owners of the network are not directly affected. He dealt with a similar issue with DNS, but decided instead to adapt BIND to recognize reflection attacks. It is not the "right" solution, but the most practical…

Update: Animesh Jain from our Vulnerability Research Team has published a technical post with more in depth information on the probing mechanism and indicators used to implement this specific detection. Excellent insight into the inner workings of a remote detection.

Original: Symantec recently reported on the increasing use of the NTP (Network Time Protocol) in Denial of Service attacks. Over Christmas of 2013, servers for a number of gaming sites were taken down in NTP DoS attacks, including the popular Battle.net, League of Legends and Steam. Now regardless of whether you care about online gaming, this attack might affect you, as the hackers might have involved your servers in the attack.

Continue reading …