Possible Upcoming NTP Reflection DDoS Attack

2017 · November 26, 2017, 2:49pm

Hi everyone.

Recently I heard a possible plan from a group of blackhat crackers about utilizing vulnerable NTP servers from the Pool to launch a Reflection DDoS attack. Even if it’s not going to happen, or the attack is not feasible, I think it’s the right time for every NTP server operator to fix and upgrade vulnerable servers. Please notify every NTP operator you know and let them be aware of the (old) issue.

TLDR. upgrade NTP and use

restrict default kod limited nomodify notrap nopeer noquery
restrict -6 default kod limited nomodify notrap nopeer noquery

@Ask, could we integrate misconfiguration detection into the monitoring system? For example show a warning message for servers with public query. This can dramatically raise awareness of the issue.

Anonymous

ask · December 15, 2017, 10:49pm

I had the system check for this for a while; but I suspect the feature broke. I suspect the NTP Pool servers are a tiny tiny part of the problem as they’re disproportionately likely to be well maintained / monitored etc (versus random server on the internet with ntpd exposed on the internet). :-/

Topic		Replies	Views
Getting hit hard... 83.85.79.213 Server operators	1	1569	April 20, 2017
IP fragmentation protection?	5	972	June 16, 2019
How to deal with invalid abuse reports Server operators	20	1513	April 9, 2023
Are you seeing high rate, sustained NTP bursts coming from one IP address Server operators	0	476	February 7, 2024
More abusive NTP clients, this time from Germany Server operators	13	235	April 12, 2024

Possible Upcoming NTP Reflection DDoS Attack

Related Topics