Date: Thu, 2 Jan 2014 18:36:07 +0100 From: Moritz Muehlenhoff <jmm@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE to the ntp monlist DDoS issue? On Mon, Dec 30, 2013 at 11:40:37PM +0100, Florian Weimer wrote: > * Moritz Muehlenhoff: > > > On Mon, Dec 30, 2013 at 09:05:56AM -0500, cve-assign@...re.org wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > Has anyone thought about assigning a CVE to this? > >> > >> http://bugs.ntp.org/show_bug.cgi?id=1532 was assigned CVE-2013-5211. > > > > Shouldn't this rather be CVE-2010-XXXX ? > > I don't think this was previously discussed as a security issue in > public. There is a 2011 reference here that explicitly cites > amplification factors, though: > > <http://lists.ntp.org/pipermail/pool/2011-December/005616.html> > > This has an odd feeling of déjà vu to me, but I suspect the previous > discusssions have been on private channels of which I no longer have > records. This blog posting from 2010 already describes the attack: https://www.securepla.net/using-ntp-to-enumerate-client-ips/ | ADDITIONAL ATTACKS | HD Moore also discussed that he had figured out a way to DDoS a | system using NTP with very minimal requests. Although he has not | released data on this type of DDoS, we put our heads together here | on what the attack could be. When you make a monlist request, you | send 1 udp packet to the NTP server and 600+ responses are returned. | We think that using this request against all the NTP servers and | peers, you could send hundreds of thousands of UDP packets to a | victim with minimal request packets. By spoofing the source address | and requesting monlists repetitively, all responses from those NTP | servers will be forwarded to the victim. Cheers, Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ