Skip to Content.
Sympa Menu

perfsonar-announce - Information on NTP Amplification Attacks

Subject: perfsonar-announce

List archive

Information on NTP Amplification Attacks


Chronological Thread 
  • From: Jason Zurawski <>
  • To: "" <>, "" <>, perf-node-users Users <>, "" <>, perfsonar-announce <>, "" <>, " Club" <>, "" <>, Science DMZ List <>, "" <>
  • Cc: "" <>
  • Subject: Information on NTP Amplification Attacks
  • Date: Thu, 9 Jan 2014 10:05:59 -0500

Greetings;

Apologies if you receive duplication of this notice.

Some of you may be aware of a recently highlighted risk of NTP amplification
(http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks),
and in some cases others may have already had a host that was used in an
attack. A sample notice received may look something like this:

> You are running a public NTP server that participated a very large-scale
> attack against a customer of ours today, generating UDP responses to
> spoofed requests with bogus timestamps that claimed to be from the attack
> target. Your server was particularly active in the attack, sending a
> significant percentage of the attack traffic we saw.
>
> Please consider reconfiguring your NTP server in one of these ways:
>
> - To only serve your customers and not respond to outside IP addresses. If
> your NTP server runs as a standalone installation, setting the service to
> ignore all queries would work well for this. With ntpd, that can be done
> with "restrict default ignore" in /etc/ntp.conf; other servers should have
> a similar configuration option. A firewall rule to block UDP to the public
> IP address on port 123 would also work for this.
> - To rate-limit responses to individual source IP addresses
> - To limit queries to TCP-only
> - To ignore particularly unlikely queries, such as those representing dates
> far in the future or past
> - To limit the size of allowed responses


For those that are running perfSONAR Performance Toolkit software, the
development team will have an updated version out this month to restrict the
NTP daemon to local queries by default. In the meantime, it is possible to
make manual modifications to the local /'etc/ntp.conf' file to accomplish the
same goal:

> # by default act only as a basic NTP client
> restrict -4 default nomodify nopeer noquery notrap
> restrict -6 default nomodify nopeer noquery notrap
> # allow NTP messages from the loopback address, useful for debugging
> restrict 127.0.0.1
> restrict ::1

Additional restrict lines can be added to allow trusted subnets, e.g.:

> restrict a.b.c.d mask 255.255.0.0 nomodify notrap nopeer


More information on protection for hosts (and routing devices) can be found
here:

http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

Please relay any questions as they come up.

Thanks;

-jason



  • Information on NTP Amplification Attacks, Jason Zurawski, 01/09/2014

Archive powered by MHonArc 2.6.16.

Top of Page