Drastic decline in vulnerable NTP servers due to Heartbleed?
Posted on 25 June 2014.
In light of the escalation of DDoS attacks used as a means of extorting money from online businesses, the news that there has been a significant decrease in vulnerable Network Time Protocol (NTP) servers that can be used in NTP amplification DDoS attacks is more than welcome.


The revelation comes from NSFOCUS researchers, who have been tracking the number of NTP servers exploited in amplification attacks since December of 2013.

Initially there were 432,120, and 1,224 of these were especially useful to attackers as they were capable of magnifying traffic by a factor greater than 700.

The latest scanning effort, made in May, revealed that many network and system administrators have heeded US-CERT's warning and have disabled or restricted the monlist functions that allowed their servers to be used in attacks: the number of vulnerable NYTP servers has fallen to 17,647.

US-CERT weren't the only ones warning about the danger presented by these servers - a number of companies have also reported on the rise of reflection and amplification DDoS attacks, and CloudFlare shared details about mitigating a big one that hit one of its customers.

While this dramatic drop in vulnerable servers is good news, the fact remains that over 17,000 servers can still be and is misused.

"Any amplification attacks are a cheap method for DDoS attackers to launch,” Terence Chong, Solutions Architect at NSFOCUS, commented for ThreatPost. “They can write a script that creates 10x to 500x amplification traffic volume that could bring down a site easily versus the traditional method of using botnets under their control to generate traffic themselves, which takes a lot of effort.”

So he urges administrators to upgrade ntpd to version 4.2.7p26 or later. "Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc –c monlist command while still allowing other status queries," the company cautioned.

SANS ISC handler Kevin Shortt confirmed that there has been a sharp decrease in vulnerable systems for the NTP monlist issue.

"I'd like to suggest that while pundits are citing slow progress for patching Heartbleed, that in actuality, the Heartbleed issue is responsible for the sudden change," he wrote. "The month of May showed an extensive effort for patching and truing up patch levels because of Heartbleed. This effort likely assisted in the NTP issue being patched along with it."









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //