[ntp:questions] Public ntp-server and reflection-attacks

Rudolf E. Steiner res-usenet at communicate.at
Thu Nov 21 16:42:39 UTC 2013


Hi.

We have strong reflection-attacks on our public timeserver ("ntpd 4.2.6p5").

The strange behavior is the server received one packet and sends 100 packets
to the target.

Incoming packet:

----- begin -----
Network Time Protocol (NTP Version 2, private)
Flags: 0x17
0... .... = Response bit: Request (0)
.0.. .... = More bit: 0
..01 0... = Version number: NTP Version 2 (2)
.... .111 = Mode: reserved for private use (7)

Auth, sequence: 0
0... .... = Auth bit: 0
.000 0000 = Sequence number: 0

Implementation: XNTPD (3)

Request code: MON_GETLIST_1 (42)
----- end -----

First outgoing packet:

----- begin -----
Network Time Protocol (NTP Version 2, private)
Flags: 0xd7
1... .... = Response bit: Response (1)
.1.. .... = More bit: 1
..01 0... = Version number: NTP Version 2 (2)
.... .111 = Mode: reserved for private use (7)

Auth, sequence: 0
0... .... = Auth bit: 0
.000 0000 = Sequence number: 0

Implementation: XNTPD (3)

Request code: MON_GETLIST_1 (42)
----- end -----

Second outgoing packet:

----- begin -----
Network Time Protocol (NTP Version 2, private)
Flags: 0xd7
1... .... = Response bit: Response (1)
.1.. .... = More bit: 1
..01 0... = Version number: NTP Version 2 (2)
.... .111 = Mode: reserved for private use (7)

Auth, sequence: 1
0... .... = Auth bit: 0
.000 0001 = Sequence number: 1

Implementation: XNTPD (3)

Request code: MON_GETLIST_1 (42)
----- end -----

[...]

Last outgoing packet:

----- begin -----
Network Time Protocol (NTP Version 2, private)
Flags: 0x97
1... .... = Response bit: Response (1)
.0.. .... = More bit: 0
..01 0... = Version number: NTP Version 2 (2)
.... .111 = Mode: reserved for private use (7)

Auth, sequence: 99
0... .... = Auth bit: 0
.110 0011 = Sequence number: 99

Implementation: XNTPD (3)

Request code: MON_GETLIST_1 (42)
----- end -----

This means, the attacker sends _one_ packet and gets _100_ packets to his
target.

How can I disable this behavior of ntpd?

-- 
Rudolf E. Steiner
res-usenet at communicate.at



More information about the questions mailing list