IRecently hackers have been exploiting a hole in the default Linux NTP (Network Time Server) to perform denial of service attacks. Your PBX or other internal servers use this service to display the correct time on your phones or other devices. You are susceptible to this attack if you have port 123 UDP open to the internet forwarded to an internal server.
This PC World article will explain it better than I ever could…
So how do you fix it? Here’s where I’m going to get technical, if you’re not technical get someone who is to read this article. You can reconfigure your NTP server in one or more of these ways:
If you don’t mean to run a public NTP server, we recommend #1 and #2. If you do mean to run a public NTP server, we recommend #1, and also that you rate-limit responses to individual source IP addresses — silently discarding those that exceed a low number, such as one request per IP address per second. Rate-limit functionality is built into many recently-released NTP daemons, including ntpd, but needs to be enabled; it would help with different types of attacks than this one.
Fixing open NTP servers is important; with the 400x+ amplification factor of NTP DRDoS attacks — one 40-byte-long request usually generates 18252 bytes worth of response traffic — it only takes one machine on an unfiltered 1 Gbps link to create a 450+ Gbps attack!
Comments