Re: Re: CVE to the ntp monlist DDoS issue?

[Moritz Muehlenhoff <jmm () debian org>]

On Mon, Dec 30, 2013 at 11:40:37PM +0100, Florian Weimer wrote:
> * Moritz Muehlenhoff:
>
> > On Mon, Dec 30, 2013 at 09:05:56AM -0500, cve-assign () mitre org wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > > Has anyone thought about assigning a CVE to this?
> > >
> > > http://bugs.ntp.org/show_bug.cgi?id=1532 was assigned CVE-2013-5211.
> >
> > Shouldn't this rather be CVE-2010-XXXX ?
>
> I don't think this was previously discussed as a security issue in
> public.  There is a 2011 reference here that explicitly cites
> amplification factors, though:
>
> <http://lists.ntp.org/pipermail/pool/2011-December/005616.html>
>
> This has an odd feeling of déjà vu to me, but I suspect the previous
> discusssions have been on private channels of which I no longer have
> records.

This blog posting from 2010 already describes the attack:
https://www.securepla.net/using-ntp-to-enumerate-client-ips/

| ADDITIONAL ATTACKS
| HD Moore also discussed that he had figured out a way to DDoS a
| system using NTP with very minimal requests.  Although he has not
| released data on this type of DDoS, we put our heads together here
| on what the attack could be.  When you make a monlist request, you
| send 1 udp packet to the NTP server and 600+ responses are returned.
| We think that using this request against all the NTP servers and
| peers, you could send hundreds of thousands of UDP packets to a
| victim with minimal request packets.  By spoofing the source address
| and requesting monlists repetitively, all responses from those NTP
| servers will be forwarded to the victim.

Cheers,
        Moritz