On Tue, 11 Feb 2014 16:43:39 +1300, Juha Saarinen wrote:
http://www.itnews.com.au/News/372033,worlds-largest-ddos-strikes-us-europe.a...
Amplification factor: 58.5.
DNS amplification is so last year, it seems ;) I've actually been drafting PSA for the list about fixing NTP as we've seen a pretty solid uptick in NTP reflection attacks this year, but I'll just summarise the key points below. We're seeing ~ 200 byte requests generating almost 5k responses from spoofed "monlist" traffic. It's worth noting that a lot of stuff unexpectedtly has the NTP client listening (we've seen it on Juniper routers, Sun IPMI cards, various SOHO routers), so it's not just your "real" NTP servers that need protecting. The ntp /client/ daemon (e.g. just keeping the time correct on a box) in some configurations will by default listen on wildcard and respond to these "monlist" queries that are popular with the attackers, so it's worth having a careful look at what you're running. Long and short of it: -> If your ISC ntp daemon needs to listen on the Internet, upgrade it to at least version 4.2.7 which removes the "monlist" command entirely. If you can't do that, either disable "monlist" by adding: disable monitor to your ntp.conf file, which should be wholly innocuous (I doubt anything will break given that this feature no longer exists as of 4.2.7), or by adding `noquery' to the config to disable the entire class of request (I could imagine this maybe breaking things, so perhaps be a little cautious). -> If you don't need your ntp daemon listening on the Internet, implement some kind of ACL in front of it (as well as disabling the monitoring command 8^)) so that malicious requests don't even make it to the box. Before Roland appears and mentions it, try and avoid putting a stateful firewall in front of stuff :) -> Scan your networks using something like nmap in UDP mode for port 123 to find open NTP servers. There's an nmap script which specifically tests for the "monlist" function being enabled available from http://nmap.org/nsedoc/scripts/ntp-monlist.html, along with some example invocations. Don't worry, once we're done sorting this one out there's still spoofed source SNMP amplification attacks for the attackers to move on to :) -- Michael