Greetings,

With the recent increase in NTP attacks, I wanted to advise the community of a 
few things:

There are about 1.2-1.5 million of these servers out there.

1) You can search your IP space to find NTP servers that respond to the 
‘MONLIST’ queries.

2) I’ve found some vendors have old embedded versions of NTP including 
ILO/Service Processors and other parts of the “internet of things”.

3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’ or 
‘restrict’ lines or both.  (I defer to someone else to be an expert in this 
area, but am willing to learn :) )

4) Please prevent packet spoofing where possible on your network.  This will 
limit the impact of spoofed NTP or DNS (amongst others) packets from impacting 
the broader community.

5) Some vendors don’t have an easy way to alter the ntp configuration, or have 
not or won’t be updating NTP, you may need to use ACLs, firewall filters, or 
other methods to block this traffic.  I’ve heard of many routers being used in 
attacks impacting the CPU usage.

Take a moment and see if your devices respond to the following query/queries:

ntpdc -n -c monlist 10.0.0.1
ntpdc -n -c loopinfo 10.0.0.1
ntpdc -n -c iostats 10.0.0.1

6) If you do VMs/Servers and have a template, please make sure that they do not 
respond to NTP requests.

Thanks!

- Jared

Reply via email to