Researchers at NSFOCUS say they observed a significant decrease in May of Network Time Protocol (NTP) servers susceptible to being used in distributed denial-of-service (DDoS) attacks.
Back in December, NSFOCUS began continuously tracking the number of NTP servers exploited in amplification attacks. After a global Internet-wide scanning effort, the company uncovered a total of 432,120 vulnerable NTP servers worldwide. Among these, 1,224 were capable of magnifying traffic by a factor greater than 700, according to the company.
However, in May, researchers uncovered just 17,000 NTP servers vulnerable to being leveraged in NTP amplification DDoS attacks.
“An NTP client can issue a command “monlist” to query the IP addresses of the last 600 clients that have synchronized time with the targeted NTP server,” researchers explained in the ‘NSFOCUS NTP Amplification Attack Threat Report’. “In this way, it only requires a small request packet to trigger sequencing UDP response packets containing active IP addresses and other data. The volume of the monlist response data is closely related to the number of the clients that communicate with the NTP server. Hence a single request consisting of a 64-byte UDP packet can be magnified to 100 responses of 482 bytes each, resulting in 700x amplification…Since the NTP service uses a single UDP for communication, the attacker can launch a 700-fold NTP amplification attack by spoofing the source IP address, similar to what DNS amplification attacks do.”
In March, NSFOCUS re-scanned the NTP servers on the Internet and found that the overall number of NTP amplifiers had dropped to 21,156. The follow-up scan in May saw the trend continue, as researchers found 17,647 NTP servers that were vulnerable. Of the unpatched servers, more than 2,100 have the ability for 700 times amplification, the firm found.
“We were not surprised by the findings,” Terence Chong, solutions architect for NSFOCUS, tells SecurityWeek. “The initial number of the vulnerable servers was very high. Over 95 percent of them were patched within the first few months after this exploitation of the NTP server was first made public, which is an impressive number. There could be a couple of reasons why the rest of the servers were not patched. Either the administrators of these servers are not aware of the NTP server vulnerability, or it can be that there servers were not properly documented or tracked and the administrators are not aware of their existence.”
According to NSFOCUS, the decline in vulnerable servers indicates many network and system administrators have disabled or restricted monlist functions. US-CERT and Network Time Protocol strongly advise system admins to upgrade ntpd to version 4.2.7p26 or later, and for users of earlier versions to use noquery in the default restrictions to block all status queries or use disable monitor to disable the ntpdc – c monlist command while still allowing other status queries.
“While many vulnerable sites have been patched, the potential for NTP amplification attacks still exists,” according to the report. “The reality is that more than 17,000 vulnerable servers still exist in the Internet ecosystem. If the Internet community as a whole doesn’t begin securing publicly accessible NTP servers, not only will these attacks continue but they also have the potential to affect users worldwide.”