nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP
On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch <ja...@puck.nether.net> wrote: > Greetings, > > With the recent increase in NTP attacks, I wanted to advise the community > of a few things: > > There are about 1.2-1.5 million of these servers out there. > > 1) You can search your IP space to find NTP servers that respond to the > ‘MONLIST’ queries. > > 2) I’ve found some vendors have old embedded versions of NTP including > ILO/Service Processors and other parts of the “internet of things”. > > 3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’ > or ‘restrict’ lines or both. (I defer to someone else to be an expert in > this area, but am willing to learn :) ) > > 4) Please prevent packet spoofing where possible on your network. This > will limit the impact of spoofed NTP or DNS (amongst others) packets from > impacting the broader community. > > 5) Some vendors don’t have an easy way to alter the ntp configuration, or > have not or won’t be updating NTP, you may need to use ACLs, firewall > filters, or other methods to block this traffic. I’ve heard of many > routers being used in attacks impacting the CPU usage. > > Take a moment and see if your devices respond to the following > query/queries: > > ntpdc -n -c monlist 10.0.0.1 > ntpdc -n -c loopinfo 10.0.0.1 > ntpdc -n -c iostats 10.0.0.1 > > 6) If you do VMs/Servers and have a template, please make sure that they > do not respond to NTP requests. > > Thanks! > > - Jared > -- Copyright 2014 Derek Andrew (excluding quotations) +1 306 966 4808 Information and Communications Technology University of Saskatchewan Peterson 120; 54 Innovation Boulevard Saskatoon,Saskatchewan,Canada. S7N 2V3 Timezone GMT-6 Typed but not read.
