This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

NTP attacks - threshold-based blocks?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NTP attacks - threshold-based blocks?

aaronm
L1 Bithead

‎01-22-2014 07:44 AM

Our campus has been getting a lot of NTP DDoS attacks of late.  While the simple solution would be to shut it down except for necessary systems, the problem (as per usual in public-sector) is that everyone seems to want to run something that uses it and complains if we start blocking.

Looking at the attacks, it's very easy to see the difference between a legitimate NTP query (1 or 2 packets) and an attack.   My question is: Is there a way to define a threshold-based filter that will drop or block the attack as with brute-force type attacks?  That would solve all of the issues.

Labels:
9 REPLIES 9

Phoenix
L4 Transporter
In response to aaronm

‎01-22-2014 02:16 PM

At this stage, it is wise to get packet captures and share the problem scenario and open the case. The logs would be analysed for the threat pattern and frequency and they can come up with a solution.

Thanks

0 Likes Likes

eDub
L1 Bithead

‎01-27-2014 10:13 AM

NTP reflection attacks are occurring frequently these days. The safest approach is lock down who you obtain NTP from (I do this on my border router). Short of that, the other way to approach it is  create a threat exception action to block instead of alert:

NTP Reserved Mode Denial of Service Vulnerability

33273

NTP is prone to a DoS vulnerability while parsing certain crafted NTP requests.The vulnerability is due to the lack of proper checks in the NTP request, leading to an exploitable DoS. An attacker could exploit the vulnerability by sending a crafted NTP request. A successful attack could lead to remote DoS with the privileges of the server.

CVE-2009-3563

37225

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563

0 Likes Likes

rmonvon
L6 Presenter

‎01-27-2014 10:25 AM

Hi...You can define a custom threat signature and specify the time attribute as described.  The custom signature can be completely new, or based on combination of existing threat signatures.

Re: How to shun/block an IP address for a period of time

0 Likes Likes

aaronm
L1 Bithead
In response to eDub

‎02-06-2014 10:40 AM

The problem with this signature is that it's not what's being triggered in this case.  In fact, none of the NTP vulnerabilities were getting triggered.  It showed up instead as traffic and application "NTP".  Blocking anything but legitimate is easier said than done here - being a university with a lot of scientists and research going on, it may take the security teams weeks or months to determine what is officially needed vs. wanted.

0 Likes Likes

aaronm
L1 Bithead
In response to rmonvon

‎02-06-2014 10:42 AM

For a custom signature, only ever built one that used existing vulnerabilities.  Since those are not triggering in this case, how could I define a new one based simply on the fact that it is recognized as a NTP application?

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks