Vulnerability Note VU#348126
NTP can be abused to amplify denial-of-service attack traffic
UDP protocols such as NTP can be abused to amplify denial-of-service attack traffic. Servers running the network time protocol (NTP) based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected denial-of-service (DRDoS) attack. Other proprietary NTP implementations may also be affected.
NTP and other UDP-based protocols can be used to amplify denial-of-service attacks. Servers running the network time protocol (NTP) based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected denial-of-service (DRDoS) attack. Other proprietary NTP implementations may also be affected. This is similar in scope to DNS Amplification Attacks.
In a reflected denial-of-service attack, the attacker spoofs the source address of attack traffic, replacing the source address with the target's address. Certain NTP control messages provide significant bandwidth amplification factors (BAF).
An unauthenticated remote attacker may leverage the vulnerable NTP server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.
Apply an Update
Check if the amplified responses are enabled
IPv6: restrict -6 default kod nomodify notrap nopeer noquery
Please note that a restart of the ntpd service is required for changes to take effect.
It is also possible to restrict access per network segment (be sure to modify line 3 to match your LAN settings) and per host (line 4):
restrict 192.168.0.0 netmask 255.255.0.0
Please note that a restart of the ntpd service is required for changes to take effect. Please also note that the ntpq/ntpdc query capabilities provide useful Q/A and debugging information. Disabling these queries comes with a cost.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco Systems, Inc.||Affected||17 Sep 2013||17 Sep 2013|
|Hewlett-Packard Company||Affected||-||14 Jan 2014|
|Meinberg Funkuhren GmbH & Co. KG||Affected||07 Oct 2013||14 Jan 2014|
|Network Time Protocol||Affected||16 Sep 2013||17 Sep 2013|
|Juniper Networks, Inc.||Unknown||07 Oct 2013||07 Oct 2013|
CVSS Metrics (Learn More)
Thanks to Christian Rossow for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2013-5211
- Date Public: 02 Jan 2014
- Date First Published: 10 Jan 2014
- Date Last Updated: 05 Mar 2014
- Document Revision: 77
If you have feedback, comments, or additional information about this vulnerability, please send us email.