Tag Archives: ntp -ddos-target

The NTP vulnerability !

Just like the DDoS is hitting web-servers and DNS servers, it has started hitting the ntpd servers which are left open.

The Network Time Protocol, or NTP, syncs time between machines on the network, and runs over port 123 UDP. It’s typically
configured once by network administrators and often is not updated.

Recently there is a major jump in attacks via the protocol. Attackers appear to be employing NTP for DDoSing similar to the way DNS is being abused in such attacks. They transmit small spoofed packets requesting a large amount of data sent to the DDoS target’s IP address.

It’s all about abusing the so-called “monlist” command
in an older version of NTP. Monlist returns a list of the last 600 hosts that have connected to the server.

To check if your ntp service is open/vulnerable :

# ntpdc -c monlist IP ( See if it returns the list of hosts,
if it does, it is vulnerable )

To get around this,

# The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely.

# If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file. This will disable access to mode 6 and 7 query packets (which includes monlist).

Add the below lines to /etc/ntp.conf :

========

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

========

If monolist query is disabled,

# ntpdc -n -c monlist IP should return,

xx.xx.xx.xx: timed out, nothing received
***Request timed out

Act now and stop becoming the part of a chain 🙂