One of content delivery network provider Cloudflare’s customers is undergoing a targeted attack with a very big Network Time Protocol (NTP) reflection assault.
While the name of the customer was not immediately available, Cloudflare Chief Executive Matthew Prince said the attack reached the level of over 400 gigabits per second and it probably caused congestion on some peering exchanges (mostly in Europe), that (based on sampled data) it misused just over 4,500 misconfigured NTP servers, and the customer initially wanted to pay with a stolen credit card.
Despite the recommendation issued by US-CERT about updating public-facing NTP servers to a ntpd version that doesn’t allow attackers to use them for NTP amplification attacks, there are still vulnerable ones out there.
“The attack relies on the exploitation of the ‘monlist’ feature of NTP, as described in CVE-2013-5211, which is enabled by default on older NTP-capable devices. This command causes a list of the last 600 IP addresses which connected to the NTP server to be sent to the victim,” US-CERT said.
“Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks,” US-CERT said.
Server administrators can either disable “monlist” within the NTP server or upgrade to the latest NTP version (4.2.7) that does the same thing. If you want to know whether your server(s) are vulnerable, you can use this simple online tool.