Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   NetBSD Vendors:   NetBSD
NetBSD ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks
SecurityTracker Alert ID:  1029565
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 8 2014
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.1, 5.2, 6.0, 6.1
Description:   A vulnerability was reported in NetBSD. A remote user can conduct amplified denial of service attacks.

A remote user can exploit an administrative query function (monlist) in ntpd to amplify distributed denial of service (DDoS) attacks against other sites.

Erik Fair reported this vulnerability.

Impact:   A remote user can conduct amplified denial of service attacks against other sites.
Solution:   The vendor has issued a fix (that removes the vulnerable function).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Not specified

Message History:   None.

 Source Message Contents

Subject:  NetBSD Security Advisory 2014-002: ntpd used as DDoS amplifier

Hash: SHA1

		NetBSD Security Advisory 2014-002

Topic:		ntpd used as DDoS amplifier

Version:	NetBSD-current:		source prior to Dec 27th, 2013
		NetBSD 6.1:		affected
		NetBSD 6.0 - 6.0.2:	affected
		NetBSD 5.1 - 5.1.2:	affected
		NetBSD 5.2:		affected

Severity:	DDoS participation

Fixed:		NetBSD-current:		Dec 27th, 2013
		NetBSD-6-0 branch:	Jan 6th, 2014
		NetBSD-6-1 branch:	Jan 6th, 2014
		NetBSD-6 branch:	Jan 6th, 2014
		NetBSD-5-2 branch:	Jan 6th, 2014
		NetBSD-5-1 branch:	Jan 6th, 2014
		NetBSD-5 branch:	Jan 6th, 2014

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


An administrative query function is getting used by
attackers to use ntp servers as traffic amplifiers.
The new version no longer offers this query option.

Technical Details

The monlist function, which is available in ntp prior to 4.2.7 to
requestors who are allowed to 'query', yields potentially sizeable
traffic in response to a small query packet, and can thus get used
for amplification attacks.

Solutions and Workarounds

in ntp.conf, setting 'restrict default noquery' will prevent
amplification to random targets (the remaining targets would
be those allowed to query by their own restrict entries).

Note that this setting does not disallow time synchronization,
but instead querying for the list of peers and other administrative
and informative data. See /usr/share/doc/html/ntp/accopt.html
for information on ntpd access control configuration options.

Updating the ntpd binary so it no longer offers the abused function,
as well as updating ntp.conf so it offers less attack surface.

ntpd source: update to
HEAD		src/external/bsd/ntp/dist/ntpd/ntp_request.c
netbsd-6	src/external/bsd/ntp/dist/ntpd/ntp_request.c
netbsd-6-1	src/external/bsd/ntp/dist/ntpd/ntp_request.c
netbsd-6-0	src/external/bsd/ntp/dist/ntpd/ntp_request.c
netbsd-5	src/dist/ntp/ntpd/ntp_request.c
netbsd-5-2	src/dist/ntp/ntpd/ntp_request.c
netbsd-5-1	src/dist/ntp/ntpd/ntp_request.c

default configuration file update:
HEAD		src/etc/ntp.conf 1.18
netbsd-6	src/etc/ntp.conf
netbsd-6-1	src/etc/ntp.conf
netbsd-6-0	src/etc/ntp.conf
netbsd-5	src/etc/ntp.conf
netbsd-5-2	src/etc/ntp.conf
netbsd-5-1	src/etc/ntp.conf

Thanks To

Thanks to Erik Fair for bringing the issue to our attention and
suggesting a fix.

Revision History

	2014-01-07	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-002.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $

Version: GnuPG v1.4.15 (NetBSD)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC