TA14-013A: NTP Amplification Attacks Using CVE-2013-5211

["US-CERT" <US-CERT () ncas us-cert gov>]

NCCIC / US-CERT

National Cyber Awareness System:

TA14-013A: NTP Amplification Attacks Using CVE-2013-5211 [ https://www.us-cert.gov/ncas/alerts/TA14-013A ] 01/13/2014 
05:51 PM EST 
Original release date: January 13, 2014 | Last revised: January 14, 2014

Systems Affected

NTP servers

Overview

A Network Time Protocol (NTP) Amplification attack is an emerging form of Distributed Denial of Service (DDoS) that 
relies on the use of publically accessible NTP servers to overwhelm a victim system with UDP traffic.

Description

The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of 
connected clients. This information is provided via the “monlist” command. The basic attack technique consists of an 
attacker sending a "get monlist" request to a vulnerable NTP server, with the source address spoofed to be the victim’s 
address.

Impact

The attack relies on the exploitation of the 'monlist' feature of NTP, as described in CVE-2013-5211, which is enabled 
by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the 
NTP server to be sent to the victim. Due to the spoofed source address, when the NTP server sends the response it is 
sent instead to the victim. Because the size of the response is typically considerably larger than the request, the 
attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are 
legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is 
to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the 
“monlist” functionality.

Solution

*Detection*

On a UNIX-platform, the command “ntpdc” will query existing NTP servers for monitoring data. If the system is 
vulnerable to exploitation, it will respond to the “monlist” command in interactive mode. By default, most modern UNIX 
and Linux distributions allow this command to be used from localhost, but not from a remote host. To test for monlist 
support, execute the following command at the command line:

/usr/sbin/ntpdc <remote server>

monlist

Additionally, the “ntp-monlist” script is available for NMap, which will automatically display the results of the 
monlist command. If the system does not support the monitor query, and is therefore not vulnerable to this attack type, 
NMap will return an error type 4 (No Data Available) or no reply at all.

 

*Recommended Course of Action*

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to 
upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not 
possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions 
of the software.

To disable “monlist” functionality on a public-facing NTP server that cannot be updated to 4.2.7, add the “noquery” 
directive to the “restrict default” line in the system’s ntp.conf, as shown below:

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

References

  * Vulnerability Summary for CVE-2013-5211 [ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211 ] 
  * NTP Software Downloads [ http://www.ntp.org/downloads.html ] 
  * ntp-monlist NSE Script [ http://nmap.org/nsedoc/scripts/ntp-monlist.html ] 

Revision History

  * January 13, 2014 - Initial Release 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]