DDoS Attacks Exploiting Vulnerability in Network Time Protocol, Call The Doctor

Attackers are exploiting a vulnerability in network time protocol (NTP) which can lead to a denial-of-service (DDoS) attack.  NTP syncs time between machines on the network, and runs over port 123 UDP. It’s typically configured once by network administrators and often is not updated, according to Symantec, which discovered a major jump in attacks via the protocol over the past few weeks. Unfortunately Dr Who cannot help you.

The current attacks exploit a flaw in the “monlist” command of older versions of NTP. Organisations should update NTP to version 4.2.7, which does not use the monlist command. They can also disable access to monlist in older versions of NTP.

The link below provides useful information about the NTP reflection attackInternet Storm Center: https://isc.sans.edu/diary/NTP+reflection+attack/17300

DDoS Attacks Exploiting Vulnerability in Network Time Protocol, Call The Doctor

This type of issue shows how important vulnerability management is to securing your network. Many companies have taken on-board the need to patch their systems on a regular basis. Many are only applying operating systems patches and some very high profile applications patches from Adobe and Microsoft. This leaves many attack vectors for cyber criminals or insiders to compromise your infrastructure.

The extract below is from the SANS Critical Controls for Effective Cyber Defense, Critical Control 4, which places vulnerability management as one to highest priority controls to put in place. The controls above this, 1 through 3, cover identifying what devices and software is connected to your network and hardening them.

SANS Critical Security Control 4 Continuous Vulnerability Assessment and Remediation

Soon after new vulnerabilities are discovered and reported by security researchers or vendors, attackers engineer exploit code and then launch that code against targets of interest. Any

significant delays in finding or fixing software with dangerous vulnerabilities provides ample opportunity for persistent attackers to break through, gaining control over the vulnerable machines and getting access to the sensitive data they contain. Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised. Vulnerabilities must also be tied to threat intelligence and be properly prioritised.

As vulnerability scans become more common, attackers are utilising them as a point of exploitation. It is important to carefully control authenticated vulnerability scans and the associated administrator account. Attackers will take over one machine with local privileges, and wait for an authenticated scan to occur against the machine. When the scanner logs in with domain admin privileges, the attacker either grabs the token of the logged-in scanning tool, or sniffs the challenge response and cracks it. Either way, the attacker then can pivot anywhere else in the organisation as domain administrator.

ITC Secure Networking can help with our NetSure360⁰ Managed Security Services and our 5 steps to securing your IT infrastructure. We have;

  • Over 15 (Earth) years experience delivering managed network and security solutions
  • Integrated best of breed technology solutions
  • Certified security staff
  • Sonic screwdrivers

Contact ITC at [email protected] to discuss how we provide this solution in our NetSure360⁰ Security, Performance and Network Management platform.