Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Research Finds Decrease in NTP Servers Vulnerable to Abuse in DDoS Attacks

Researchers at NSFOCUS say they observed a significant decrease in May of Network Time Protocol (NTP) servers susceptible to being used in distributed denial-of-service (DDoS) attacks. 

Researchers at NSFOCUS say they observed a significant decrease in May of Network Time Protocol (NTP) servers susceptible to being used in distributed denial-of-service (DDoS) attacks. 

Back in December, NSFOCUS began continuously tracking the number of NTP servers exploited in amplification attacks. After a global Internet-wide scanning effort, the company uncovered a total of 432,120 vulnerable NTP servers worldwide. Among these, 1,224 were capable of magnifying traffic by a factor greater than 700, according to the company.

However, in May, researchers uncovered just 17,000 NTP servers vulnerable to being leveraged in NTP amplification DDoS attacks. 

“An NTP client can issue a command “monlist” to query the IP addresses of the last 600 clients that have synchronized time with the targeted NTP server,” researchers explained in the ‘NSFOCUS NTP Amplification Attack Threat Report’. “In this way, it only requires a small request packet to trigger sequencing UDP response packets containing active IP addresses and other data. The volume of the monlist response data is closely related to the number of the clients that communicate with the NTP server. Hence a single request consisting of a 64-byte UDP packet can be magnified to 100 responses of 482 bytes each, resulting in 700x amplification…Since the NTP service uses a single UDP for communication, the attacker can launch a 700-fold NTP amplification attack by spoofing the source IP address, similar to what DNS amplification attacks do.”

In March, NSFOCUS re-scanned the NTP servers on the Internet and found that the overall number of NTP amplifiers had dropped to 21,156. The follow-up scan in May saw the trend continue, as researchers found 17,647 NTP servers that were vulnerable. Of the unpatched servers, more than 2,100 have the ability for 700 times amplification, the firm found.

“We were not surprised by the findings,” Terence Chong, solutions architect for NSFOCUS, tells SecurityWeek. “The initial number of the vulnerable servers was very high.  Over 95 percent of them were patched within the first few months after this exploitation of the NTP server was first made public, which is an impressive number.  There could be a couple of reasons why the rest of the servers were not patched. Either the administrators of these servers are not aware of the NTP server vulnerability, or it can be that there servers were not properly documented or tracked and the administrators are not aware of their existence.”

According to NSFOCUS, the decline in vulnerable servers indicates many network and system administrators have disabled or restricted monlist functions. US-CERT and Network Time Protocol strongly advise system admins to upgrade ntpd to version 4.2.7p26 or later, and for users of earlier versions to use noquery in the default restrictions to block all status queries or use disable monitor to disable the ntpdc – c monlist command while still allowing other status queries.

Advertisement. Scroll to continue reading.

“While many vulnerable sites have been patched, the potential for NTP amplification attacks still exists,” according to the report. “The reality is that more than 17,000 vulnerable servers still exist in the Internet ecosystem. If the Internet community as a whole doesn’t begin securing publicly accessible NTP servers, not only will these attacks continue but they also have the potential to affect users worldwide.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.