A C wrote:
On 1/8/2014 18:31, William Unruh wrote:
But this sounds like it is shooting someone else in the foot. That is
more serious. Ie, the default is that you should have to work quite hard
to enable the system to run these amplification attacks (I assume that
this is using the control system to send control/info packets, rather
than ntp time protocol packets)
It is unclear (or, more correctly, not publicly documented yet) whether
the attack used the monlist function (outlined in a CERT advisory in
December) or some other method utilizing NTP protocols. But it was
enough of an attack to cripple the gaming servers for some time.
It is indeed using the 'ntpdc -c monlist' mode 7 packet with a faked
sender to do these attacks, we've added 'noquery' to our three external
ipv4 pool servers.
(This is after our CERT guys saw multiple attempts to use those servers
as part of a DDOS attack.)
My home ipv6 server still allows external users to ask for the monitor
list, but only via the new 'ntpq -c mrulist' interface which is safe
against fake sender/redirect attacks.
Terje
--
- <Terje.Mathisen at tmsw.no>
"almost all programming can be viewed as an exercise in caching"
_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
