NTP Patches Flaws That Enable DDoS

The network time protocol was updated to ntp-4.2.8p8, patching a handful of vulnerabilities that can be leveraged in DDoS attacks.

The network time protocol, at the center of a number of high-profile DDoS attacks in 2014, was updated on Thursday to ntp-4.2.8p8. The latest version includes patches for five vulnerabilities, including one rated high-severity.

NTP, specifically the NTP daemon, synchronizes system clocks with time servers.

Vulnerable NTP servers were used two years ago with regular frequency to carry out amplification attacks against targets. High-bandwidth NTP-based DDoS attacks skyrocketed as attackers used vulnerable NTP implementations to amplify DDoS attacks much in the way DNS amplification has been used in the past. Some NTP amplification attacks reached 400 Gbps in severity, enough to bring down even some of the better protected online services.

US-CERT today released a vulnerability notification about the latest set of NTP vulnerabilities.

“Exploitation of one of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition,” the US-CERT advisory said.

US-CERT also published a list vendors potentially vulnerable to attack; as of this afternoon, only the NTP project’s ntpd implementation is known to be affected. The status of the remainder of the A-Z list of vendors is characterized as unknown.

“Unauthenticated, remote attackers may be able to spoof or send specially crafted packets to create denial of service conditions,” US-CERT said.

One of the vulnerabilities, privately reported by Cisco, is a crypto-NAK crash or denial-of-service bug. Crypto-NAK responses are sent by NTP servers if a server and client do not agree on a message authentication code.

The four remaining flaws were disclosed by Red Hat researchers. One is related to the crypto-NAK issue.

“An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association,” an NTP.org bug report says.

Another patch corrects a flaw where spoofed server packets were processed.

“An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set,” said the bug report.

An autokey association reset flaw was also patched. Here an attacker who spoofs a packet with a correct origin timestamp before the response arrives can send a crypto-NAK or bad MAC and cause an association’s peer variables to be cleared, eventually preventing it from working correctly.

The final vulnerability addressed is an issue where broadcast clients may be flipped into interleave mode.

Suggested articles