Attackers Wage Network Time Protocol-Based DDoS Attacks

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063

By Kelly Jackson Higgins
Dark Reading
December 30, 2013

Attackers have begun exploiting an oft-forgotten network protocol in a new 
spin on distributed denial-of-service (DDoS) attacks, as researchers 
spotted a spike in so-called NTP reflection attacks this month.

The Network Time Protocol, or NTP, syncs time between machines on the 
network, and runs over port 123 UDP. It's typically configured once by 
network administrators and often is not updated, according to Symantec, 
which discovered a major jump in attacks via the protocol over the past 
few weeks.

"NTP is one of those set-it-and-forget-it protocols that is configured 
once and most network administrators don't worry about it after that. 
Unfortunately, that means it is also not a service that is upgraded often, 
leaving it vulnerable to these reflection attacks," says Allan Liska, a 
Symantec researcher in blog post last week.

Attackers appear to be employing NTP for DDoSing similar to the way DNS is 
being abused in such attacks. They transmit small spoofed packets 
requesting a large amount of data sent to the DDoS target's IP address. 
According to Symantec, it's all about abusing the so-called "monlist" 
command in an older version of NTP. Monlist returns a list of the last 600 
hosts that have connected to the server. "For attackers the monlist query 
is a great reconnaissance tool. For a localized NTP server it can help to 
build a network profile. However, as a DDoS tool, it is even better 
because a small query can redirect megabytes worth of traffic," Liska 
explains in the post.

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/