back to article Don't be a DDoS dummy: Patch your NTP servers, plead infosec bods

Security researchers have responded to recent denial of service attacks against gaming websites and service providers that rely on insecure Network Time Protocol servers by drawing up a list of vulnerable systems. Network Time Protocol (NTP) offers a means of synchronising clocks over a computer network. Features of the simple …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    The monlist command should not be publicly available in the first place. Yes, it can be disabled in the config file, which it should have been set to in the first place.

  2. Ruairi

    BCP38 people - ask for it from your upstream provider.

    Also, for any of you running any networks - drop NTP on your border, drop ingress traffic with a source address of your address space at the border. Drop egress traffic that does not match your address space at your border.

    1. Dances With Sheep

      drop NTP on your border

      Really ?

      The NTP protocal works better (more robust, more acurate) the more individual servers participate. As long as you are fully patched, running a public NTP server (or joining is good karma and a polite thing to do.

      No need to throw the baby out with the bath water.

  3. An0n C0w4rd

    First openntpproject URL is wrong

    There used to be an article feedback link, but I can't find it anymore, so posting here

    The first link is wrong

    The HTML source shows:


    1. Pookietoo

      Re: First openntpproject URL is wrong

      There's a "Send Corrections" link at the top of this page.

  4. lupine

    was vulnerable

    but now i'm not.

    running an open NTP server on ubuntu server 12.04. it provides version 4.2.6.

    read about this a couple of weeks ago but thought i was running the latest version...plainly i was wrong.

    glad i had a peek at this today.

  5. Anonymous Coward
    Anonymous Coward

    DNS - check, NTP - check, what's next?

    Wonder which UDP-based protocol is next for amplification.

    1. Anonymous Coward
      Anonymous Coward

      Re: DNS - check, NTP - check, what's next?

      all of them ..... snmp could be fun to watch ...

      1. frymaster

        Re: DNS - check, NTP - check, what's next?

        It's already being used. I know someone who got a snooty email from a university, saying their IDS had caught him using an "SNMP scanner" - turned out their printers were involved in DDoS'ing him. He did a packet capture and a VERY high number of switches, routers, wifi access points etc. were attacking him, presumably because they were using the default community names

      2. Anonymous Coward
        Anonymous Coward

        Re: DNS - check, NTP - check, what's next?

        Yes I reckon it'll be SNMP's turn sooner or later.

        How many hosts/appliances are out there on the 'net with their SNMP port listening without authentication, with its community string still set to the standard default of 'PUBLIC' ?

        Not mine, thats for sure. Any of my boxes/routers/switches which actually need SNMP switched on have authentication switched on and use a custom community string.

  6. Lee D Silver badge

    Never heard of but I imagine really need to warn their server-hosts (of which I am one).

    I'm pretty sure that with noquery, though, you can't do this in the first place but I never use the monitor lists either, so better safe than sorry.

  7. Tim Brown 1

    Debian systems ok

    Just checked my servers and it seems the default config provided for ntpd by Debian is already safe as it includes the lines:

    restrict -4 default kod notrap nomodify nopeer noquery

    restrict -6 default kod notrap nomodify nopeer noquery

    where the advisory advises adding 'noquery' to prevent the attack

  8. Anonymous Coward
    Anonymous Coward

    We got spanked by this flaw!

    First I knew about this issue was when one of our boxes suddenly started using something like 4 times our ISP bandwidth commit ... which is an expensive way to learn about a flaw in a common service.

    In the end I had to get the ISP to black hole the IP address of our box on their boundary routers, because even with the NTP service shut down, the volume of incoming traffic attempting to mis-use the box was still double our transit commit - which I can't afford.

    Fortunately we can temporarily live with this, as services on secondary hosts make up for the out of action primary box.

    Will get the ISP to remove the NULL route later this week to see if the barrage has stopped... Am very interested to know who the target was - shame the affected box didn't have a packet capture device installed, otherwise I would have captured some of the traffic for later analysis before I got the NULL route set up.

    1. Anonymous Coward
      Anonymous Coward

      Re: We got spanked by this flaw!

      Ditto - except we don't pay bandwidth charges, we just pay a flat rate for a fixed bandwidth.

      Checked my work email first thing yesterday to find a flurry of alerts from our monitoring which was getting connection failures to various services. Looked at the traffic graphs to find one machine was generating 87Mbps of outbound traffic (limited by the 100Mbps port to the router) which was then being traffic shaped down to our 20Mbps outbound capacity. The result of course being that the rest of the outbound traffic would also have been slashed by something like 80%.

      Interestingly, the attack stopped not long after I got into the office - or I might have figured out what it was. Couldn't resolve it remotely as I couldn't get a usable login from home.

      Of course, had the usual situation of management hovering with that "is it fixed yet ? … is it fixed yet ? … is it …" attitude.

      Interestingly, I see in teh config that the original restrict lines did have the required noquery statement, but for some reason I must have removed that - no idea why :( Fixed now.

      Anon for obvious reasons.

  9. Anonymous Coward
    Anonymous Coward


    Mode 7 is/was a private/undefined mode for implementation defined queries. Windows Vista client added the ability to query the (Windows) ntp server for configuration information, which implies that server versions after 2003 R2 had some support for Mode 7 queries, but possibly only from authenticated/encrypted clients. I haven't found any definitive information.

This topic is closed for new posts.

Other stories you might like