[168155] in North American Network Operators' Group
Re: OpenNTPProject.org
daemon@ATHENA.MIT.EDU (Derek Andrew)
Mon Jan 13 16:14:00 2014
In-Reply-To: <654ffad2725247a1a0386fd7a29b1ffb@CAMPUSCAS3.usask.ca>
From: Derek Andrew <Derek.Andrew@usask.ca>
Date: Mon, 13 Jan 2014 15:13:18 -0600
To: Jared Mauch <jared@puck.nether.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
nmap -sU -pU:123 -Pn -n --script=3Dntp-monlist serverIP
On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch <jared@puck.nether.net> wrote:
> Greetings,
>
> With the recent increase in NTP attacks, I wanted to advise the community
> of a few things:
>
> There are about 1.2-1.5 million of these servers out there.
>
> 1) You can search your IP space to find NTP servers that respond to the
> =91MONLIST=92 queries.
>
> 2) I=92ve found some vendors have old embedded versions of NTP including
> ILO/Service Processors and other parts of the =93internet of things=94.
>
> 3) You want to upgrade NTP, or adjust your ntp.conf to include =91limited=
=92
> or =91restrict=92 lines or both. (I defer to someone else to be an exper=
t in
> this area, but am willing to learn :) )
>
> 4) Please prevent packet spoofing where possible on your network. This
> will limit the impact of spoofed NTP or DNS (amongst others) packets from
> impacting the broader community.
>
> 5) Some vendors don=92t have an easy way to alter the ntp configuration, =
or
> have not or won=92t be updating NTP, you may need to use ACLs, firewall
> filters, or other methods to block this traffic. I=92ve heard of many
> routers being used in attacks impacting the CPU usage.
>
> Take a moment and see if your devices respond to the following
> query/queries:
>
> ntpdc -n -c monlist 10.0.0.1
> ntpdc -n -c loopinfo 10.0.0.1
> ntpdc -n -c iostats 10.0.0.1
>
> 6) If you do VMs/Servers and have a template, please make sure that they
> do not respond to NTP requests.
>
> Thanks!
>
> - Jared
>
--=20
Copyright 2014 Derek Andrew (excluding quotations)
+1 306 966 4808
Information and Communications Technology
University of Saskatchewan
Peterson 120; 54 Innovation Boulevard
Saskatoon,Saskatchewan,Canada. S7N 2V3
Timezone GMT-6
Typed but not read.
