oss-sec mailing list archives
Re: Re: CVE to the ntp monlist DDoS issue?
From: Moritz Muehlenhoff <jmm () debian org>
Date: Thu, 2 Jan 2014 18:36:07 +0100
On Mon, Dec 30, 2013 at 11:40:37PM +0100, Florian Weimer wrote:
* Moritz Muehlenhoff:On Mon, Dec 30, 2013 at 09:05:56AM -0500, cve-assign () mitre org wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Has anyone thought about assigning a CVE to this?http://bugs.ntp.org/show_bug.cgi?id=1532 was assigned CVE-2013-5211.Shouldn't this rather be CVE-2010-XXXX ?I don't think this was previously discussed as a security issue in public. There is a 2011 reference here that explicitly cites amplification factors, though: <http://lists.ntp.org/pipermail/pool/2011-December/005616.html> This has an odd feeling of déjà vu to me, but I suspect the previous discusssions have been on private channels of which I no longer have records.
This blog posting from 2010 already describes the attack: https://www.securepla.net/using-ntp-to-enumerate-client-ips/ | ADDITIONAL ATTACKS | HD Moore also discussed that he had figured out a way to DDoS a | system using NTP with very minimal requests. Although he has not | released data on this type of DDoS, we put our heads together here | on what the attack could be. When you make a monlist request, you | send 1 udp packet to the NTP server and 600+ responses are returned. | We think that using this request against all the NTP servers and | peers, you could send hundreds of thousands of UDP packets to a | victim with minimal request packets. By spoofing the source address | and requesting monlists repetitively, all responses from those NTP | servers will be forwarded to the victim. Cheers, Moritz
Current thread:
- Re: Re: CVE to the ntp monlist DDoS issue? Moritz Muehlenhoff (Jan 02)