Increase in NTP Reflection Attacks

Friday, February 21, 2014 @ 01:02 PM gHale


There has been an increase in denial-of-service (DoS) attacks using Network Time Protocol (NTP) Reflection, according to a report in ICS-CERT.

This type of attack provides an attacker the ability to generate high volume distributed denial of service (DDoS) traffic to target web sites or public-facing devices that could cause disruption to services.

RELATED STORIES
Siemens Fixes RuggedCom Vulnerability
Mitsubishi Fixes ActiveX Control
ICONICS Patches ActiveX Control Bug
MatrikonOPC Patches Vulnerability

This vulnerability is remotely exploitable and these attacks are publicly available. Mitigations are available for operators of NTP Stratum devices and possible victims of these attacks.

Products using NTP service NTP-4.2.7p25 and prior (with MONLIST support) suffer from the issue. No specific vendor is the focus of this issues because it is an open source protocol.

Exploitation of this vulnerability could cause NTP Stratum devices to end up used as sources of unrequested NTP synchronization requests in a DoS attack. Victims of this type of DoS attack could see service interruption due to boundary protection rules do not filter NTP synchronization requests that do not originate internally.

The NTP as described in RFC 958, is an open source collaboration for acceptance, and synchronizes system time over a network.

The NTP service could allow for multiple sync requests with a forged source IP address, thus sending the unrequested responses back to the source, consuming its resources. An attacker could exploit this vulnerability by sending a specifically crafted packet with a forged source IP address of the target.

It will not be evident to the NTP operator the system is under attack or in use for a DoS attack as the commands are normal time synchronization requests.

CVE-2013-5211 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

Exploits that target this vulnerability are publicly available. An attacker with a low skill would be able to exploit this vulnerability.

Users can upgrade to NTP-4.2.7p26 or later which removes MONLIST support and replaces it with the more secure MRUNLIST function. This fix has been available since 2010.

In addition, integrators and asset owners should review boundary protection rule sets and filters to eliminate incoming NTP requests that do not originate internally.



Leave a Reply

You must be logged in to post a comment.