http://www.kb.cert.org/vuls/id/348126
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211
https://www.us-cert.gov/ncas/current-activity/2014/01/10/Network-Time-Protocol-NTP-Amplification-Attacks
https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
If there is no need for the system to be a public NTP server, then configure the it to act as a client only. Good documentation can be found here:
https://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
To test if the server is vulnerable you can run:
ntpdc -n -c monlist unixhosts.us
If you receive any output, such has this your server is vulnerable:
remote address port local address count m ver rstr avgint lstint
===============================================================================
2604:3e00:2:2::5 55949 2600:3c02::f03c:91ff:fe93:8906 11 7 2 590 28 0
172.56.29.211 44636 173.230.136.108 1 3 3 590 0 1
172.56.28.4 40338 173.230.136.108 1 3 3 590 0 1
208.54.90.242 10481 173.230.136.108 2 3 3 590 9 1
208.54.90.218 38450 173.230.136.108 1 3 3 590 0 2
208.54.90.249 22476 173.230.136.108 1 3 3 590 0 2
172.56.29.189 59132 173.230.136.108 1 3 3 590 0 2
172.56.29.237 44774 173.230.136.108 1 3 3 590 0 4
172.56.28.175 38340 173.230.136.108 1 3 3 590 0 5
172.56.28.10 21008 173.230.136.108 1 3 3 590 0 5
23.23.43.31 123 173.230.136.108 10 3 4 590 1065 6
208.54.90.187 37950 173.230.136.108 1 3 3 590 0 7
172.56.29.28 23414 173.230.136.108 2 3 3 590 26 7
95.94.128.234 53738 173.230.136.108 4 3 4 590 0 8
To disable the DoS mechanism add the following lines to the /etc/ntp.conf file:
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
Restart ntpd (it may take a little while for the ntp server to start responding after the restart).
Test to make sure the ntp server is working:
jemurray@janus:~$ sudo ntpdate unixhosts.us
13 Jan 14:40:05 ntpdate[30883]: adjust time server 173.230.136.108 offset 0.001280 sec
Then test to make sure it can no longer be used as an amplification attack tool:
jemurray@janus:~$ ntpdc -n -c monlist unixhosts.us
unixhosts.us: timed out, nothing received
***Request timed out
Notes: Tested on Ubuntu 10.04.4 LTS running stock ntpd: 1:4.2.4p8+dfsg-1ubuntu2.1 - Network Time Protocol daemon and utility pro
No comments:
Post a Comment