DDoS Attacks Abusing Network Timing Protocol Flood the Web
US-CERT warns of an increase in distributed denial-of-service attacks that leverage Network Timing Protocol.Distributed denial-of-service (DDoS) attacks can take on many different forms, as those who commit them leverage different techniques to drown Websites under a flood of traffic. The United States Computer Emergency Readiness Team (US-CERT) is warning of an increased risk from DDoS attacks that leverage the Network Time Protocol (NTP) to amplify the attack volume. NTP is a widely deployed Internet protocol that is primarily used as a time-keeping technique for clock synchronization. Simply requesting the time from an NTP server is not, however, what attackers are using to execute DDoS attacks. Instead, attackers are abusing a feature in NTP that enables administrators to query an NTP server about connected clients and their traffic counts. The query is made via a "monlist" command. "This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim," US-CERT warns. "Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim."
US-CERT also warns that since NTP traffic is typically considered legitimate, it can be difficult for administrators to block the attack.
The monlist command is also at the root of a known vulnerability referred to as CVE-2013-5211, which has been patched in the latest release of NTP. US-CERT warns that all versions of the NTP prior to version 4.2.7 are at risk