NTP servers have been in the news over the New Year, as security sites and social media talk about potential attacks. This is important because many linux servers run ntpd to help keep their clock time correct.
One of the first reports and some solutions are clearly described on litnet …
In LITNET we recently observed a very interesting NTP attack following the mentioned pattern during which enormous amounts of data was being sent from our stratum 1/2 NTP servers […] it turned out that it was utilizing ‘monlist’ query which is a built-in monitoring function providing a history of recent NTP clients. […] After upgrading our NTP servers the attacks stopped.
There is another really great post here which explains in more detail how such attacks are carried out…
Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet. Until recently the most popular protocol for amplification attacks was DNS: a small DNS query looking up the IP address of a domain name would result in a large reply. […] The new kid on the block today is NTP.
In brief, the attack uses an ntp protocol command ‘monlist’ that is available in older versions of the ntpd daemon.
The simplest solution is to update the ntp server packages. For those with rpm based distributions, running yum update will do the job. Or for Debian based installs do apt-get update && apt-get upgrade. If its been a while while since you checked your server for security updates please take a few moments to do that as soon as possible.
If updating is not an option for you, and your ntp server is vulnerable to this issue it is possible to disable the monlist command by adding the following to the service configuration (eg in /etc/ntp.conf)
disable monitor
For the more technically minded the following links will also be useful in diagnosing if your server is actually affected.
If you are running different ntp software such as openntp that may still need attention, so do check that is properly configured and up to date.
Remember that we provide 24/7 support, so send us a ticket if you need a hand, and our expert team can help out.