NTP Spoof Attacks

Apparently 2 out of 3 of our GPS clocks were being used in a spoof/DDOS attack.

The basic premise is that time requests are sent to the service with a spoofed IP for the response. Add in 100/1000/10000 clocks send results to a server/service that did not request them results in a denial of service attack.

Both clocks have been removed from the pool, scheduled for February 6th. Hickory.kulish.com has port 123 UDP closed at this time. The maintainer of Dickory.kulish.com has been notified.

At the height of the attack, from our perspective, we pushed 24GB (Byte not Bit) of NTP traffic in 24 hours (not much by all accounts, but enough to help with the damage the asshat was trying to cause).

One clock was misconfigured, noquery had been commented out (likely for initial testing). This has been fixed.



Recent ntp version apparently do NOT respond to “monlist” packets.  You can still get a monlist by issuing:

ntpq -c “mrulist”

Hits: 6