NTP DoS reflection attacks — en /
https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
ちょっと気になる記事を見つけたのでメモ。
どうやら最近はDNSアンプ攻撃だけでなく、パブリックなNTPサーバを狙ったNTPアンプ攻撃というのがあるそうです。
NTP4.2.7で対応済みのようですが、現在CentOS 6.5では以下のバージョンの模様。
ntpq> version
ntpq [email protected] Sat Nov 23 18:21:51 UTC 2013 (1)
There seems to be very little relevant information on this amplification+reflection NTP attack type in the internet. After a little research it turned out that it was utilizing ‘monlist’ query which is a built-in monitoring function providing a history of recent NTP clients. During the attack huge amounts of small spoofed 8-byte UDP packets are sent to the vulnerable (or rather “open”) NTP server in which it responds with a proper DoS. Currently the best available solution is to update to NTP 4.2.7 for which the support of ‘monlist’ query has been removed in favor of new safe ‘mrunlist’ function which uses a nonce value ensuring that received IP address match the actual requester. After upgrading our NTP servers the attacks stopped. Even though it’s a tiny little function of NTP it effectively enabled attacker to exploit our server. Therefore if you happen to manage a public NTP server this update is highly recommended.
https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
パブリックなNTPを公開されている方(多くはないでしょうが)、セキュリティ的に気になる方は適用を検討されてはいかがでしょうか?
Apress
売り上げランキング: 255710