Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 2 Jan 2014 18:36:07 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE to the ntp monlist DDoS issue?

On Mon, Dec 30, 2013 at 11:40:37PM +0100, Florian Weimer wrote:
> * Moritz Muehlenhoff:
> 
> > On Mon, Dec 30, 2013 at 09:05:56AM -0500, cve-assign@...re.org wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >> 
> >> > Has anyone thought about assigning a CVE to this?
> >> 
> >> http://bugs.ntp.org/show_bug.cgi?id=1532 was assigned CVE-2013-5211.
> >
> > Shouldn't this rather be CVE-2010-XXXX ?
> 
> I don't think this was previously discussed as a security issue in
> public.  There is a 2011 reference here that explicitly cites
> amplification factors, though:
> 
> <http://lists.ntp.org/pipermail/pool/2011-December/005616.html>
> 
> This has an odd feeling of déjà vu to me, but I suspect the previous
> discusssions have been on private channels of which I no longer have
> records.

This blog posting from 2010 already describes the attack:
https://www.securepla.net/using-ntp-to-enumerate-client-ips/

| ADDITIONAL ATTACKS
| HD Moore also discussed that he had figured out a way to DDoS a
| system using NTP with very minimal requests.  Although he has not
| released data on this type of DDoS, we put our heads together here
| on what the attack could be.  When you make a monlist request, you
| send 1 udp packet to the NTP server and 600+ responses are returned.
| We think that using this request against all the NTP servers and
| peers, you could send hundreds of thousands of UDP packets to a
| victim with minimal request packets.  By spoofing the source address
| and requesting monlists repetitively, all responses from those NTP
| servers will be forwarded to the victim.

Cheers,
        Moritz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ