[nsp-sec] 50Gbps NTP Attack, 23377 Source IP addresses
Jon Lewis
jlewis at lewis.org
Tue Feb 25 18:58:49 EST 2014
On Tue, 25 Feb 2014, Smith, Donald wrote:
> I will keep saying this (to us-cert and anyone else that will listen).
> get_monlist1 amounts to 1/100 of the queries. I probably need to see how
> much of the reflection it provides but that is hard to do in netflow (or
> at least I haven't thought of a good way to do that yet.
That's the problem. All the examples I've seen for "how to test an IP to
see if it's open to being used in NTP reflection attacks" use ntpdc -c
monlist <IP>. It hadn't occurred to me to try other commands.
For the customer host in question, I found it's responses were
inconsistent. It never responds to monlist, but does sometimes respond to
other commands. I probed it from two different sources (one on our
network, one off-net). Tested from my desktop, sometimes it would reply,
sometimes timeout (for the same command). Tested from off-net, some
commands that gave replies from the first source never responded, but some
commands still did respond.
I guess the bottom line is, we didn't check it well enough, thought they'd
secured it, but they obviously have not.
----------------------------------------------------------------------
Jon Lewis, MCP :) | I route
| therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the nsp-security
mailing list