Open source bugs could give hackers new attack tool
- 22 October, 2015 09:13
The group behind the internet's clock is has warned bugs in its widely-used protocol could allow hackers to launch traffic attacks on targets.
Multiple bugs have been found in NTP, or Network Time Protocol, which hackers have ini the past abused to launch massively amplified traffic attacks on websites and could do so again thanks to a multiple security flaws in the protocol.
The NTP Project, which is responsible for the protocol, on Wednesday “strongly urged” NTP users to upgrade to “ntp-4.2.8p4”which contains fixes for 13 security fixes and over 100 bug fixes.
Though all security flaws are rated low or medium for users of NTP, the project urged “immediate action to ensure that their NTP daemons [ntpd servers] are not susceptible to use in distributed a denial of service (DDoS) attack”.
Vulnerabilities in NTP servers have enabled some of the largest DDoS attacks on record. Though the protocol is unseen to most computer users, it is widely used on desktops and servers to keep time synchronised between machines on the internet, particularly Mac devices, BSD and Linux servers.
The protocol’s importance was apparent during the June 30 ‘leap second’, when Amazon and Google flagged potential hiccups to customers as they implemented their responses to the one second time adjustment.
NTP grabbed headlines as a security threat in early 2014 after CloudFlare found attackers were using the protocol to amplify DDoS attacks to generate junk traffic against targets at 400Gbps, which at the time was thought to have disrupted major Internet exchange nodes in Europe.
The attack is known as “NTP reflection”, in which an attacker sends a small forged packet that requests a large amount of data to be sent to a target IP address, according to Symantec.
As it notes, attackers were abusing a feature called the “monlist command” to send a small query to generate a larger amount of traffic to a target. The technique became popular in early 2014 but then subsided, probably due to efforts to cull public “ntpd” (NTP daemon) servers that could be abused and users upgrading vulnerable instances.
Cisco’s security unit Talos found seven of the 13 security bugs fixed in the latest NTP update.
The company has since mid-2014 evaluated ntpd for security defects as part of its contribution as a member of the Linux Foundation Core Infrastructure Initiative (CII) Steering Group.
In addition to this, certain implementations of Cisco routers and switches have proven attractive to attackers that want to use them in DDoS attacks, as Team Cymru outlined at the time of the attacks on CloudFlare infrastructure.
