Feeds

Don't be a DDoS dummy: Patch your NTP servers, plead infosec bods

Popular attack method could be stopped with a config tweak

Protecting against web application threats using SSL

Security researchers have responded to recent denial of service attacks against gaming websites and service providers that rely on insecure Network Time Protocol servers by drawing up a list of vulnerable systems.

Network Time Protocol (NTP) offers a means of synchronising clocks over a computer network. Features of the simple UDP-based protocol mean it is possible to abuse it to return a large reply to a small request.

The technique was used to take down Battle.net, League of Legends, Steam and other gaming sites in late December for reasons that still remain unclear, weeks later.

Symantec recorded a "significant spike in NTP reflection attacks" in general over the Christmas season.

DNS-based reflection and amplification attacks were used in high volume attacks against Spamhaus and others in 2013. "NTP-based attacks use similar techniques, just a different protocol," CloudFlare, the web security firm that helped Spamhaus mitigate last year's packet flood, explains.

Open NTP servers are the new open DNS resolvers. In just the same way that the ‪openresolverproject.org aimed to list open DNS resolvers a new service called openntpproject.org.

The message to web admins and ISPs in both cases is clear: fix your servers and prevent them from participating in amplification attacks. Resolving misconfiguration problems in either case is straightforward and shouldn't take more than a few minutes. In the case of open DNS resolvers the fix involves configuration changes, while open NTP servers can be taken out of the pool of systems open to abuse by cybercrooks through either patching or disabling an abusable service.

Publicly accessible NTP servers can be abused to swamp a target system with UDP traffic. An attacker would send a series of "get monlist" requests to a vulnerable NTP server, with the source address spoofed to be the victim’s.

US-CERT advises sys admins to either disable the monlist functionality within the NTP server or to upgrade to the latest version of the technology (NTP 4.2.7), which doesn't automatically enable the problematic monlist service. A small query can redirect megabytes of traffic, security experts at the SANS Institute's Internet Storm Centre warn.

The Open NTP Project is a useful resource in helping to identify vulnerable systems because it allows sysadmins to use external IP addresses to search through a ready-compiled database of affected machines, as explained in a blog post by cloud security firm Qualys here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.