NetBSD ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks
SecurityTracker Alert ID: 1029565|
SecurityTracker URL: http://securitytracker.com/id/1029565
(Links to External Site)
Date: Jan 8 2014
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 5.1, 5.2, 6.0, 6.1|
A vulnerability was reported in NetBSD. A remote user can conduct amplified denial of service attacks.|
A remote user can exploit an administrative query function (monlist) in ntpd to amplify distributed denial of service (DDoS) attacks against other sites.
Erik Fair reported this vulnerability.
A remote user can conduct amplified denial of service attacks against other sites.|
The vendor has issued a fix (that removes the vulnerable function).|
The vendor's advisory is available at:
Vendor URL: ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-002.txt.asc (Links to External Site)
Source Message Contents
Subject: NetBSD Security Advisory 2014-002: ntpd used as DDoS amplifier|
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2014-002
Topic: ntpd used as DDoS amplifier
Version: NetBSD-current: source prior to Dec 27th, 2013
NetBSD 6.1: affected
NetBSD 6.0 - 6.0.2: affected
NetBSD 5.1 - 5.1.2: affected
NetBSD 5.2: affected
Severity: DDoS participation
Fixed: NetBSD-current: Dec 27th, 2013
NetBSD-6-0 branch: Jan 6th, 2014
NetBSD-6-1 branch: Jan 6th, 2014
NetBSD-6 branch: Jan 6th, 2014
NetBSD-5-2 branch: Jan 6th, 2014
NetBSD-5-1 branch: Jan 6th, 2014
NetBSD-5 branch: Jan 6th, 2014
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
An administrative query function is getting used by
attackers to use ntp servers as traffic amplifiers.
The new version no longer offers this query option.
The monlist function, which is available in ntp prior to 4.2.7 to
requestors who are allowed to 'query', yields potentially sizeable
traffic in response to a small query packet, and can thus get used
for amplification attacks.
Solutions and Workarounds
in ntp.conf, setting 'restrict default noquery' will prevent
amplification to random targets (the remaining targets would
be those allowed to query by their own restrict entries).
Note that this setting does not disallow time synchronization,
but instead querying for the list of peers and other administrative
and informative data. See /usr/share/doc/html/ntp/accopt.html
for information on ntpd access control configuration options.
Updating the ntpd binary so it no longer offers the abused function,
as well as updating ntp.conf so it offers less attack surface.
ntpd source: update to
netbsd-6 src/external/bsd/ntp/dist/ntpd/ntp_request.c 18.104.22.168
netbsd-6-1 src/external/bsd/ntp/dist/ntpd/ntp_request.c 22.214.171.124
netbsd-6-0 src/external/bsd/ntp/dist/ntpd/ntp_request.c 126.96.36.199
netbsd-5 src/dist/ntp/ntpd/ntp_request.c 188.8.131.52
netbsd-5-2 src/dist/ntp/ntpd/ntp_request.c 184.108.40.206.6.1
netbsd-5-1 src/dist/ntp/ntpd/ntp_request.c 220.127.116.11.2.1
default configuration file update:
HEAD src/etc/ntp.conf 1.18
netbsd-6 src/etc/ntp.conf 18.104.22.168
netbsd-6-1 src/etc/ntp.conf 22.214.171.124
netbsd-6-0 src/etc/ntp.conf 126.96.36.199
netbsd-5 src/etc/ntp.conf 188.8.131.52
netbsd-5-2 src/etc/ntp.conf 184.108.40.206
netbsd-5-1 src/etc/ntp.conf 220.127.116.11
Thanks to Erik Fair for bringing the issue to our attention and
suggesting a fix.
2014-01-07 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2014-002.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)
-----END PGP SIGNATURE-----