Re: OpenNTPProject.org

[Derek Andrew <Derek.Andrew () usask ca>]

nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP




On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch <jared () puck nether net> wrote:

> Greetings,
>
> With the recent increase in NTP attacks, I wanted to advise the community
> of a few things:
>
> There are about 1.2-1.5 million of these servers out there.
>
> 1) You can search your IP space to find NTP servers that respond to the
> ‘MONLIST’ queries.
>
> 2) I’ve found some vendors have old embedded versions of NTP including
> ILO/Service Processors and other parts of the “internet of things”.
>
> 3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’
> or ‘restrict’ lines or both.  (I defer to someone else to be an expert in
> this area, but am willing to learn :) )
>
> 4) Please prevent packet spoofing where possible on your network.  This
> will limit the impact of spoofed NTP or DNS (amongst others) packets from
> impacting the broader community.
>
> 5) Some vendors don’t have an easy way to alter the ntp configuration, or
> have not or won’t be updating NTP, you may need to use ACLs, firewall
> filters, or other methods to block this traffic.  I’ve heard of many
> routers being used in attacks impacting the CPU usage.
>
> Take a moment and see if your devices respond to the following
> query/queries:
>
> ntpdc -n -c monlist 10.0.0.1
> ntpdc -n -c loopinfo 10.0.0.1
> ntpdc -n -c iostats 10.0.0.1
>
> 6) If you do VMs/Servers and have a template, please make sure that they
> do not respond to NTP requests.
>
> Thanks!
>
> - Jared



-- 
Copyright 2014 Derek Andrew (excluding quotations)

+1 306 966 4808
Information and Communications Technology
University of Saskatchewan
Peterson 120; 54 Innovation Boulevard
Saskatoon,Saskatchewan,Canada. S7N 2V3
Timezone GMT-6

Typed but not read.