
The monlist command should not be publicly available in the first place. Yes, it can be disabled in the config file, which it should have been set to in the first place.
Security researchers have responded to recent denial of service attacks against gaming websites and service providers that rely on insecure Network Time Protocol servers by drawing up a list of vulnerable systems. Network Time Protocol (NTP) offers a means of synchronising clocks over a computer network. Features of the simple …
drop NTP on your border
Really ?
The NTP protocal works better (more robust, more acurate) the more individual servers participate. As long as you are fully patched, running a public NTP server (or joining pool.ntp.org) is good karma and a polite thing to do.
No need to throw the baby out with the bath water.
It's already being used. I know someone who got a snooty email from a university, saying their IDS had caught him using an "SNMP scanner" - turned out their printers were involved in DDoS'ing him. He did a packet capture and a VERY high number of switches, routers, wifi access points etc. were attacking him, presumably because they were using the default community names
Yes I reckon it'll be SNMP's turn sooner or later.
How many hosts/appliances are out there on the 'net with their SNMP port listening without authentication, with its community string still set to the standard default of 'PUBLIC' ?
Not mine, thats for sure. Any of my boxes/routers/switches which actually need SNMP switched on have authentication switched on and use a custom community string.
Just checked my servers and it seems the default config provided for ntpd by Debian is already safe as it includes the lines:
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
where the advisory advises adding 'noquery' to prevent the attack
First I knew about this issue was when one of our boxes suddenly started using something like 4 times our ISP bandwidth commit ... which is an expensive way to learn about a flaw in a common service.
In the end I had to get the ISP to black hole the IP address of our box on their boundary routers, because even with the NTP service shut down, the volume of incoming traffic attempting to mis-use the box was still double our transit commit - which I can't afford.
Fortunately we can temporarily live with this, as services on secondary hosts make up for the out of action primary box.
Will get the ISP to remove the NULL route later this week to see if the barrage has stopped... Am very interested to know who the target was - shame the affected box didn't have a packet capture device installed, otherwise I would have captured some of the traffic for later analysis before I got the NULL route set up.
Ditto - except we don't pay bandwidth charges, we just pay a flat rate for a fixed bandwidth.
Checked my work email first thing yesterday to find a flurry of alerts from our monitoring which was getting connection failures to various services. Looked at the traffic graphs to find one machine was generating 87Mbps of outbound traffic (limited by the 100Mbps port to the router) which was then being traffic shaped down to our 20Mbps outbound capacity. The result of course being that the rest of the outbound traffic would also have been slashed by something like 80%.
Interestingly, the attack stopped not long after I got into the office - or I might have figured out what it was. Couldn't resolve it remotely as I couldn't get a usable login from home.
Of course, had the usual situation of management hovering with that "is it fixed yet ? … is it fixed yet ? … is it …" attitude.
Interestingly, I see in teh config that the original restrict lines did have the required noquery statement, but for some reason I must have removed that - no idea why :( Fixed now.
Anon for obvious reasons.
Mode 7 is/was a private/undefined mode for implementation defined queries. Windows Vista client added the ability to query the (Windows) ntp server for configuration information, which implies that server versions after 2003 R2 had some support for Mode 7 queries, but possibly only from authenticated/encrypted clients. I haven't found any definitive information.