[LACNIC/Seguridad] Fwd: OpenNTPProject.org

Arturo Servin arturo.servin en gmail.com
Lun Ene 13 19:56:35 BRST 2014


Mas de NTP servers.

Slds
as


---------- Forwarded message ----------
From: Jared Mauch <jared en puck.nether.net>
Date: Mon, Jan 13, 2014 at 1:07 PM
Subject: OpenNTPProject.org
To: NANOG list <nanog en nanog.org>


Greetings,

With the recent increase in NTP attacks, I wanted to advise the
community of a few things:

There are about 1.2-1.5 million of these servers out there.

1) You can search your IP space to find NTP servers that respond to
the ‘MONLIST’ queries.

2) I’ve found some vendors have old embedded versions of NTP including
ILO/Service Processors and other parts of the “internet of things”.

3) You want to upgrade NTP, or adjust your ntp.conf to include
‘limited’ or ‘restrict’ lines or both.  (I defer to someone else to be
an expert in this area, but am willing to learn :) )

4) Please prevent packet spoofing where possible on your network.
This will limit the impact of spoofed NTP or DNS (amongst others)
packets from impacting the broader community.

5) Some vendors don’t have an easy way to alter the ntp configuration,
or have not or won’t be updating NTP, you may need to use ACLs,
firewall filters, or other methods to block this traffic.  I’ve heard
of many routers being used in attacks impacting the CPU usage.

Take a moment and see if your devices respond to the following query/queries:

ntpdc -n -c monlist 10.0.0.1
ntpdc -n -c loopinfo 10.0.0.1
ntpdc -n -c iostats 10.0.0.1

6) If you do VMs/Servers and have a template, please make sure that
they do not respond to NTP requests.

Thanks!

- Jared



Más información sobre la lista de distribución Seguridad