[ntp:questions] Public ntp-server and reflection-attacks

Thu, 21 Nov 2013 10:17:40 -0800 

Hi.

We have strong reflection-attacks on our public timeserver ("ntpd 4.2.6p5").

The strange behavior is the server received one packet and sends 100 packets
to the target.

Incoming packet:

----- begin -----
Network Time Protocol (NTP Version 2, private)
Flags: 0x17
0... .... = Response bit: Request (0)
.0.. .... = More bit: 0
..01 0... = Version number: NTP Version 2 (2)
.... .111 = Mode: reserved for private use (7)

Auth, sequence: 0
0... .... = Auth bit: 0
.000 0000 = Sequence number: 0

Implementation: XNTPD (3)

Request code: MON_GETLIST_1 (42)
----- end -----

First outgoing packet:

----- begin -----
Network Time Protocol (NTP Version 2, private)
Flags: 0xd7
1... .... = Response bit: Response (1)
.1.. .... = More bit: 1
..01 0... = Version number: NTP Version 2 (2)
.... .111 = Mode: reserved for private use (7)

Auth, sequence: 0
0... .... = Auth bit: 0
.000 0000 = Sequence number: 0

Implementation: XNTPD (3)

Request code: MON_GETLIST_1 (42)
----- end -----

Second outgoing packet:

----- begin -----
Network Time Protocol (NTP Version 2, private)
Flags: 0xd7
1... .... = Response bit: Response (1)
.1.. .... = More bit: 1
..01 0... = Version number: NTP Version 2 (2)
.... .111 = Mode: reserved for private use (7)

Auth, sequence: 1
0... .... = Auth bit: 0
.000 0001 = Sequence number: 1

Implementation: XNTPD (3)

Request code: MON_GETLIST_1 (42)
----- end -----

[...]

Last outgoing packet:

----- begin -----
Network Time Protocol (NTP Version 2, private)
Flags: 0x97
1... .... = Response bit: Response (1)
.0.. .... = More bit: 0
..01 0... = Version number: NTP Version 2 (2)
.... .111 = Mode: reserved for private use (7)

Auth, sequence: 99
0... .... = Auth bit: 0
.110 0011 = Sequence number: 99

Implementation: XNTPD (3)

Request code: MON_GETLIST_1 (42)
----- end -----

This means, the attacker sends _one_ packet and gets _100_ packets to his
target.

How can I disable this behavior of ntpd?

-- 
Rudolf E. Steiner
[email protected]

_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions

Reply via email to