Sysadmins rejoice! NSFOCUS researchers say hundreds of thousands of Network Time Protocol (NTP) servers have been patched, reducing the threat from some devastating and cheap distributed denial of service (DDoS) attacks.

The patching rampage saw the number of vulnerable NTP servers drop from 432,120 at the start of the year to 17,647 in May.

The sharp decline followed alerts by Computer Emergency Response Teams (CERTs) and the media to a rise in powerful NTP reflection DDoS attacks that deluged websites and servers with record levels of junk traffic.

Using NTP servers for DDoS attacks offers resourced-starved assailants huge bang for buck. Small packets can be sent to insecure NTP servers, normally used to synchronise clocks, which would then return an amount of data magnified many hundred-fold to a target of the attacker's choosing.

Instances of NTP DDoS attacks appeared to spike earlier this year when popular gaming servers and enterprises were knocked offline under the traffic streams tipping 400 Gbps in February and in separate attacks peaking 800 Gbps in March.

Patches closed off or restricted monlist functions used in the attacks which normally provided a list of the previous 600 boxes that communicated with a NTP server. Villains would spoof monlist requests from victim machines which would then be heavily DDoSed.

NSFOCUS wrote in a report that the patching effort was laudable but more work needed to be done.

"The decline in vulnerable servers indicates that many network and system administrators have taken the necessary steps to disable or restrict monlist functions; however proper steps should be taken to ensure the rest of the vulnerable servers are protected," the company wrote.

"US-CERT and Network Time Protocol strongly advise system administrators to upgrade ntpd to version 4.2.7p26 or later. Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc – c monlist command while still allowing other status queries." ®

Related stories

• Denial of service attacks pour through rift in Network Time Protocol (9 April 2015)

  https://www.theregister.com/2015/04/09/ntp_vulns/

• Apple scuttles NTP flaw in OS X – with 'first ever' silent auto update (23 December 2014)

  https://www.theregister.com/2014/12/23/apple_scuttles_ntp_flaw_in_os_x/

• Dangerous NTP hole ruins your Chrissy lunch (22 December 2014)

  https://www.theregister.com/2014/12/22/dangerous_ntp_hole_ruins_your_chrissy_lunch/

• Hack skirmish grounded Sony exec's flight after FAKE bomb scare (25 August 2014)

  https://www.theregister.com/2014/08/25/hack_skirmish_also_grounded_sony_execs_flight/

• DDOS takes down Cirrus Communications (30 July 2014)

  https://www.theregister.com/2014/07/30/ddos_takes_down_cirrus_communications/

• Windows users: You get a patch! And you get a patch! And you get a patch! Everybody gets... (3 July 2014)

  https://www.theregister.com/2014/07/03/patch_tuesday_coming_up_and_servers_are_getting_a_bumper_dose/

• NASA's Curiosity rover brought Earth BUG to Mars (27 June 2014)

  https://www.theregister.com/2014/06/27/curosity_rover_brings_human_bugs_to_mars/

• Wi-Fi WarKitteh and DDoS Dog to stalk Defcon 22 (23 June 2014)

  https://www.theregister.com/2014/06/23/wifi_war_cat_ddos_dog_the_latest_in_animal_biotech_warfare/

• 'Most sophisticated DDoS' ever strikes Hong Kong democracy poll (23 June 2014)

  https://www.theregister.com/2014/06/23/most_sophisticated_ddos_strikes_hk_democracy_poll/

• YOU'RE HISTORY: Ancestry.com goes titsup for TWO DAYS (18 June 2014)

  https://www.theregister.com/2014/06/18/ancestry_dot_com_brought_down_by_ddos_attack/

• Feedly DDoSed by ransom-threat crims: 'We refused to give in' (11 June 2014)

  https://www.theregister.com/2014/06/11/feedly_ddos_ransom_attack/

• Evernote taken out by DDoS attack (11 June 2014)

  https://www.theregister.com/2014/06/11/evernote_dos_attack/