Drastic decline in vulnerable NTP servers due to Heartbleed?
Posted on 25 June 2014.
In light of the escalation of DDoS attacks used as a means of extorting money from online businesses, the news that there has been a significant decrease in vulnerable Network Time Protocol (NTP) servers that can be used in NTP amplification DDoS attacks is more than welcome.


The revelation comes from NSFOCUS researchers, who have been tracking the number of NTP servers exploited in amplification attacks since December of 2013.

Initially there were 432,120, and 1,224 of these were especially useful to attackers as they were capable of magnifying traffic by a factor greater than 700.

The latest scanning effort, made in May, revealed that many network and system administrators have heeded US-CERT's warning and have disabled or restricted the monlist functions that allowed their servers to be used in attacks: the number of vulnerable NYTP servers has fallen to 17,647.

US-CERT weren't the only ones warning about the danger presented by these servers - a number of companies have also reported on the rise of reflection and amplification DDoS attacks, and CloudFlare shared details about mitigating a big one that hit one of its customers.

While this dramatic drop in vulnerable servers is good news, the fact remains that over 17,000 servers can still be and is misused.

"Any amplification attacks are a cheap method for DDoS attackers to launch,” Terence Chong, Solutions Architect at NSFOCUS, commented for ThreatPost. “They can write a script that creates 10x to 500x amplification traffic volume that could bring down a site easily versus the traditional method of using botnets under their control to generate traffic themselves, which takes a lot of effort.”

So he urges administrators to upgrade ntpd to version 4.2.7p26 or later. "Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc –c monlist command while still allowing other status queries," the company cautioned.

SANS ISC handler Kevin Shortt confirmed that there has been a sharp decrease in vulnerable systems for the NTP monlist issue.

"I'd like to suggest that while pundits are citing slow progress for patching Heartbleed, that in actuality, the Heartbleed issue is responsible for the sudden change," he wrote. "The month of May showed an extensive effort for patching and truing up patch levels because of Heartbleed. This effort likely assisted in the NTP issue being patched along with it."









Spotlight

Infographic: 25 years of the firewall

Posted on 24 July 2014.  |  The firewall turned 25, and McAfee is celebrating with an infographic that creatively depicts its lifetime. If you take a moment to scan the infographic, you’ll notice the firewall's introduction and evolution coincide with certain security events.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //