[44net] NTP 'monlist' DDOS attacks

Folks, if you're running NTPD (Network Time Protocol daemon) on your AMPRNet hosts or routers, please be sure that the MONLIST command is disabled. If it is not, your device can be used to attack other systems on the Internet. You can test whether your NTP is thus misconfigured with the command /usr/sbin/ntpdc -n -c monlist If MONLIST is enabled, you will see a response including any IP addresses that have made use of your NTP services. Recommended Action: NTPD versions prior to 4.2.7 are vulnerable by default; the simplest recommended course of action is to upgrade all versions of ntpd that are publically accessible to 4.2.7 or greater. In cases where upgrading is not possible, disabling the monitor functionality can be accomplished via the instructions below. Add the “noquery” directive to the “restrict default” line in the system’s ntp.conf, as shown below: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery The links below describe the activity in more detail as well as possible solutions. US CERT Notifiacation: https://www.us-cert.gov/ncas/alerts/TA14-013A CERT.ORG Message: http://www.kb.cert.org/vuls/id/348126 Thank you - Brian