Skip to Content.
Sympa Menu

perfsonar-announce - Re: Information on NTP Amplification Attacks

Subject: perfSONAR Announcements

List archive

Re: Information on NTP Amplification Attacks


Chronological Thread 
  • From: Jason Zurawski <>
  • To: "" <>, "" <>, perf-node-users Users <>, "" <>, perfsonar-announce <>, "" <>, " Club" <>, "" <>, Science DMZ List <>, "" <>
  • Cc: "" <>
  • Subject: Re: Information on NTP Amplification Attacks
  • Date: Tue, 11 Feb 2014 08:36:37 -0500

Greetings;

As a followup to this issue, we would like to remind all users of older pSPT
installations (e.g. 3.3.1 and below) that the latest version of the software
is available, and has automatic fixes to address the concerns with NTP. We
would strongly encourage everyone to upgrade as soon as possible, as the
publicity surrounding this vulnerability is still resulting in attacks within
the community.

Thanks, and feel free to pass along any questions you might have to
.


-jason

On Jan 9, 2014, at 10:05 AM, Jason Zurawski
<>
wrote:

> Greetings;
>
> Apologies if you receive duplication of this notice.
>
> Some of you may be aware of a recently highlighted risk of NTP
> amplification
> (http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks),
> and in some cases others may have already had a host that was used in an
> attack. A sample notice received may look something like this:
>
>> You are running a public NTP server that participated a very large-scale
>> attack against a customer of ours today, generating UDP responses to
>> spoofed requests with bogus timestamps that claimed to be from the attack
>> target. Your server was particularly active in the attack, sending a
>> significant percentage of the attack traffic we saw.
>>
>> Please consider reconfiguring your NTP server in one of these ways:
>>
>> - To only serve your customers and not respond to outside IP addresses. If
>> your NTP server runs as a standalone installation, setting the service to
>> ignore all queries would work well for this. With ntpd, that can be done
>> with "restrict default ignore" in /etc/ntp.conf; other servers should have
>> a similar configuration option. A firewall rule to block UDP to the public
>> IP address on port 123 would also work for this.
>> - To rate-limit responses to individual source IP addresses
>> - To limit queries to TCP-only
>> - To ignore particularly unlikely queries, such as those representing
>> dates far in the future or past
>> - To limit the size of allowed responses
>
>
> For those that are running perfSONAR Performance Toolkit software, the
> development team will have an updated version out this month to restrict
> the NTP daemon to local queries by default. In the meantime, it is
> possible to make manual modifications to the local /'etc/ntp.conf' file to
> accomplish the same goal:
>
>> # by default act only as a basic NTP client
>> restrict -4 default nomodify nopeer noquery notrap
>> restrict -6 default nomodify nopeer noquery notrap
>> # allow NTP messages from the loopback address, useful for debugging
>> restrict 127.0.0.1
>> restrict ::1
>
> Additional restrict lines can be added to allow trusted subnets, e.g.:
>
>> restrict a.b.c.d mask 255.255.0.0 nomodify notrap nopeer
>
>
> More information on protection for hosts (and routing devices) can be found
> here:
>
> http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
>
> Please relay any questions as they come up.
>
> Thanks;
>
> -jason



Archive powered by MHonArc 2.6.16.

Top of Page