IT organizations were warned again yesterday, about a new type of distributed denial-of-service (DDoS) attack which takes advantage of unprotected old Network Time Protocol (NTP) servers to overwhelm their victims’ systems.
The NTP servers supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is accessed through the “monolist” command, according to an alert issued this week by the United States – Computer Emergency Readiness Team.
NTP amplification attackers are able to exploit the monolist feature because it is typically enabled by default on older NTP-capable devices. Security experts have long known that NTP application attacks where possible but many of them recently found out how effective this method was in the recent rash of DDoS attacks on gaming sites.
“The basic attack technique consists of an attacker sending a “get monolist” request to a vulnerable NTP server, with the source addressed spoofed to be the victim’s address,” the US-CERT post said. “Due to the spoofed source address, when the NTP server sends the response, it is sent to the victim.”
The command results in the transmission to the victim’s system of the last 600 Internet Protocol addresses which connected to the NTP server.
Since the size of the response in usually considerably larger that the request, according to the security team, the attacker is able to amplify the volume of traffic directed at the victim. Apart from that, because the responses are legitimate data coming from a valid server, it is difficult for systems to block such an attack.
“The only solution is to disable the monolist within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the monolist functionality,” the US-CERT advisory said.
For instructions on how to detect an NTP amplification attack and how to mitigate it, click here.