[ntp:security] monlist reflective DDoS

Christian Rossow christian.rossow at gmail.com
Sun Aug 11 08:02:19 UTC 2013


> If you use ntpq -c rv 119.146.43.2 you would be able to tell that these
> systems are running old versions of NTP. The first two are running 4.2.0
> while the latter two are running 4.2.4p5. That means you must be running
> mode 7 packets. monlist is a ntpdc option which uses mode 7 (private
> mode) packets. New versions of ntpd have moved this to ntpq which uses
> mode 6 packets and I believe that there's a confirmatory packet sent
> before returning the list. Harlan was going to confirm that.
OK, great. I can tell that:
 * RedHat 5.x / CentOS 5.x have version 4.2.2p1-15.el5
 * RedHat 6.x / CentOS 6.x (most recent) have version 4.2.4p8-3.el6
 * Fedora 19 (most recent) has version 4.2.6p5-11.fc19

I can scan the IPv4 space next week and include a version request so
that we get a clear picture of the server version. What you think?
(BTW, scary to see that `rv` returns the exact system version.)

> Based on the versions of the servers you are sending mode 7 packets and
> that is a known issue. Someone would have to dig up the information on
> this but is known.
OK, good to hear.

> What conference is this for?
It's NDSS 2014 [1], a mostly academic conference. Please don't spread
the word on my work, it's supposed to be an anonymous submission. FWIW,
next to NTP, I also looked at the potential for amplification in 12
other protocols and implementations, but NTP was "the worst" candidate.

Christian

[1]: http://www.internetsociety.org/ndss2014


More information about the security mailing list