Possible Upcoming NTP Reflection DDoS Attack

2017 · November 26, 2017, 2:49pm

Hi everyone.

Recently I heard a possible plan from a group of blackhat crackers about utilizing vulnerable NTP servers from the Pool to launch a Reflection DDoS attack. Even if it’s not going to happen, or the attack is not feasible, I think it’s the right time for every NTP server operator to fix and upgrade vulnerable servers. Please notify every NTP operator you know and let them be aware of the (old) issue.

TLDR. upgrade NTP and use

restrict default kod limited nomodify notrap nopeer noquery
restrict -6 default kod limited nomodify notrap nopeer noquery

@Ask, could we integrate misconfiguration detection into the monitoring system? For example show a warning message for servers with public query. This can dramatically raise awareness of the issue.

Anonymous

ask · December 15, 2017, 10:49pm

I had the system check for this for a while; but I suspect the feature broke. I suspect the NTP Pool servers are a tiny tiny part of the problem as they’re disproportionately likely to be well maintained / monitored etc (versus random server on the internet with ntpd exposed on the internet). :-/

Topic		Replies	Views
Our servers suffer massive down-score - and I don't have the slightest clue why Server operators	9	1909	May 16, 2018
Recommend the superior “pool" not “server” in ntp.conf Server operators	10	2044	January 9, 2023
NTP pool squatting Server operators	3	722	March 13, 2023
More abusive NTP clients, this time from Germany Server operators	13	774	April 12, 2024
Newbie operator, some questions! Server operators	6	1082	March 31, 2023

Possible Upcoming NTP Reflection DDoS Attack

Related Topics