Feeds

Sysadmins rejoice! Patch rampage killing off nasty DDoS attack vector

Server fleet open to NTP attack drops from 400k to just 17,000

Providing a secure and efficient Helpdesk

Sysadmins rejoice! NSFOCUS researchers say hundreds of thousands of Network Time Protocol (NTP) servers have been patched, reducing the threat from some devastating and cheap distributed denial of service (DDoS) attacks.

The patching rampage saw the number of vulnerable NTP servers drop from 432,120 at the start of the year to 17,647 in May.

The sharp decline followed alerts by Computer Emergency Response Teams (CERTs) and the media to a rise in powerful NTP reflection DDoS attacks that deluged websites and servers with record levels of junk traffic.

Using NTP servers for DDoS attacks offers resourced-starved assailants huge bang for buck. Small packets can be sent to insecure NTP servers, normally used to synchronise clocks, which would then return an amount of data magnified many hundred-fold to a target of the attacker's choosing.

Instances of NTP DDoS attacks appeared to spike earlier this year when popular gaming servers and enterprises were knocked offline under the traffic streams tipping 400 Gbps in February and in separate attacks peaking 800 Gbps in March.

Patches closed off or restricted monlist functions used in the attacks which normally provided a list of the previous 600 boxes that communicated with a NTP server. Villains would spoof monlist requests from victim machines which would then be heavily DDoSed.

NSFOCUS wrote in a report that the patching effort was laudable but more work needed to be done.

"The decline in vulnerable servers indicates that many network and system administrators have taken the necessary steps to disable or restrict monlist functions; however proper steps should be taken to ensure the rest of the vulnerable servers are protected," the company wrote.

"US-CERT and Network Time Protocol strongly advise system administrators to upgrade ntpd to version 4.2.7p26 or later. Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc – c monlist command while still allowing other status queries." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.