jared at puck.nether.net
Mon Jan 13 21:07:28 UTC 2014
With the recent increase in NTP attacks, I wanted to advise the community of a few things:
There are about 1.2-1.5 million of these servers out there.
1) You can search your IP space to find NTP servers that respond to the ‘MONLIST’ queries.
2) I’ve found some vendors have old embedded versions of NTP including ILO/Service Processors and other parts of the “internet of things”.
3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’ or ‘restrict’ lines or both. (I defer to someone else to be an expert in this area, but am willing to learn :) )
4) Please prevent packet spoofing where possible on your network. This will limit the impact of spoofed NTP or DNS (amongst others) packets from impacting the broader community.
5) Some vendors don’t have an easy way to alter the ntp configuration, or have not or won’t be updating NTP, you may need to use ACLs, firewall filters, or other methods to block this traffic. I’ve heard of many routers being used in attacks impacting the CPU usage.
Take a moment and see if your devices respond to the following query/queries:
ntpdc -n -c monlist 10.0.0.1
ntpdc -n -c loopinfo 10.0.0.1
ntpdc -n -c iostats 10.0.0.1
6) If you do VMs/Servers and have a template, please make sure that they do not respond to NTP requests.
More information about the NANOG