US-CERT is warning organizations about a form of distributed denial-of-service attacks that seek to overwhelm victims with UDP traffic via publically-accessible NTP servers.
NTP stands for Network Time Protocol, which runs over port 123 and is used to synchronize clocks between machines on a network. In December, researchers at Symantec noticed an uptick of attacks targeting the protocol.
According to US-CERT, the attacks abuse the NTP service, which supports a monitoring service that allows administrators to query the server for traffic counts of connected clients via the “monlist” command. In a NTP amplification attack, an attacker sends a “get monlist” request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.
“The attack relies on the exploitation of the ‘monlist’ feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices,” according to the US-CERT advisory. “This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim. Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim.”
Since the responses are legitimate data coming from valid servers, it can be difficult for organizations to configure their defenses to block these attacks, the advisory added. All versions of NTPD (Network Time Protocol Daemon) prior to 4.2.7 are vulnerable by default and should be upgraded, US-CERT recommends. If that is not possible, the monitoring functionality can be disabled.
Roland Dobbins, senior ASERT analyst at Arbor Networks, also recommended organizations consider unicast reverse-path forward, DHCP snooping and other approaches as well to prevent spoofing and hinder amplification attacks.
“NTP reflection/amplification attacks have been seen in the wild for the last 6-7 years,” he said. “This technique has been used recently in high-profile attacks on gaming networks, attacks which have affected a substantial consumer base of these gaming networks, so it’s been receiving attention in the industry space, that’s the main difference. But network operational security specialists have been dealing with these attacks for quite some time.”
“As is always the case, effective DDoS methodologies and techniques tend to move down-market over time from more sophisticated attackers to commodification and use by the broader base of less sophisticated attackers,” he added. “This is the case with the recent spate of high-profile NTP reflection/amplification attacks, for example — they’ve been used for years by more sophisticated attackers, and have now moved down-market in terms of being utilized by less technically-sophisticated attackers.”
*This story has been updated.
