Spectracom - Essential Ingenuity

DDoS / Amplification Attack using ntpdc monlist command


What is the risk of the NTP vulnerability (CVE-2013-5211) associated with monlist on Spectracom products?


In December 2013 / January 2014, a vulnerability with the NTP daemon was documented in several databases of common vulnerabilties and exposures (such as CVE-2013-5211).

The 'monlist' feature of NTP can be exploited as a distributed denial-of-service attack. 'Monlist' can be used as a query issued by the ntpdc tool list. The NTP server responds to the query with the last 600 IP addresses that connected to it. If the queries source address is spoofed, an attacker is able to amplify the volume of traffic directed at a victim because the size of the response is typically considerably larger than the request. The standard recommended solution is to disable queries or 'disable monitor' within the NTP server (NTPd  version 4.2.7p26 replaces the monlist feature with the safe 'mrunlist' function). 

Spectracom NetClock and SecureSync NTP servers are preconfigured for security. By default, NTP queries are not allowed unless otherwise configured through the interface or via expert mode. We recommend you check the configuration of these products to verify queries have not been enabled, or if they have, that you have other network security policies to minimize the risk of an attack. 

See the product specific FAQs for verifying NTP queries are disabled:

Was this information helpful?

 Yes  No