579
edits
Changes
Jump to navigation
Jump to search
Line 6:
Line 6: − + − Line 24:
Line 23: − − As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to at least 4.2.7. However, in cases where it is not possible to upgrade the version of the service, it is possible to disable the monitor functionality in earlier versions of the software.
no edit summary
It is important to note that the same exploits may well apply to IPv4 hosts running the same protocols.
It is important to note that the same exploits may well apply to IPv4 hosts running the same protocols.
===Links to other material===
Links to other areas of the wiki:
* [[IPv6]] - an overview of IPscan (IPv6 Port Scanner)
* [[IPv6]] - an overview of IPscan (IPv6 Port Scanner)
If an attacker uses a spoofed source address then a victim can be flooded with considerable NTP traffic. The size of the response is typically considerably larger than the request and consequently the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality.
If an attacker uses a spoofed source address then a victim can be flooded with considerable NTP traffic. The size of the response is typically considerably larger than the request and consequently the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. The solution is to disable “monlist” within the NTP server or to upgrade to the latest version of NTP (4.2.7) which disables the “monlist” functionality.
To prevent your NTP daemon being used in DDoS attacks it is necessary to disable “monlist” functionality. On a public-facing NTP server that cannot be updated to version 4.2.7 or later, add the “noquery” directive to the “restrict default” line in the system’s ntpd.conf, as shown below:
To prevent your NTP daemon being used in DDoS attacks it is necessary to disable “monlist” functionality. On a public-facing NTP server that cannot be updated to version 4.2.7 or later, add the “noquery” directive to the “restrict default” line in the system’s ntpd.conf, as shown below: