[ntp:security] Huge hack 'ugly sign of future' for internet threats - NTP

Steve Kostecke kostecke at ntp.org
Tue Feb 11 19:49:19 UTC 2014


Danny Mayer said:

>This article on the BBC shows that NTP was the attack
>vector for attacking the Internet infrastructure:
>http://www.bbc.co.uk/news/technology-26136774

Misleading statement in the BBC article:

"A computer needing to synchronise time with the NTP will send a small
amount of data to make the request. The NTP will then reply by sending
data back.

The vulnerability lies with two weaknesses. Firstly, the amount of data
the NTP sends back is bigger than the amount it receives, meaning an
attack is instantly amplified."

The following articles were linked from the BBC article:

http://www.independent.co.uk/life-style/gadgets-and-tech/worlds-largest-denial-of-service-attack-caused-by-vulnerability-in-the-infrastructure-of-the-web-9122200.html

"There are two vulnerabilities with this system. Firstly, the
information sent out by NTP servers is several times larger than the
original request, ..."

http://www.informationweek.com/security/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787?f_src=informationweek_node_450

http://www.cio.co.nz/article/538015/attackers_use_ntp_reflection_huge_ddos_attack/

http://www.v3.co.uk/v3-uk/news/2328222/huge-ddos-attack-hits-eu-and-us-networks

>It doesn't mention mrulist but I think that can be assumed especially
>as the CERT just came out on it.

As I've said in other places ... The NTP Project should reconsider their
philosophy of allowing everything by default. Others will act if we
don't.

And it would be a good idea to release patched sources (which default to
"disable monitor") for the tail versions of each release tree.

-- 
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project http://support.ntp.org/
Public Key at http://support.ntp.org/Users/SteveKostecke


More information about the security mailing list