Monlist enabled NTP service Print

  • ntp
  • 42

Application info
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

Vulnerability
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged requests.

Impact
This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim. Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. 

Solution
There are several ways of solving this issue.

1. Update your NTP service to version 4.2.7p26 or later.
    or
2. Block incoming traffic on UDP port 123.
    or
3. Disable the monlist command in your NTP service by adding the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below:

  restrict default kod nomodify notrap nopeer noquery

  restrict -6 default kod nomodify notrap nopeer noquery


References
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211
https://www.transip.eu/question/100000699-protect-server-against-amplification-attacks/
https://ntpmonitorscan.shadowserver.org/

General security information
https://my.serverius.net/knowledgebase.php?action=displayarticle&id=70


Was this answer helpful?

« Back