NTP DDoS Vulnerability Active Directory

-

hello,

our isp has provided warnings ntp ddos attacks against our network. have active directory @ server2008 r2 schema version, number of our dc's @ server 2003 sp2. have read ace fekay's response under thread "nntp monlist ddos attack: windows server vulnerable?" however, wondering if there has been additional research done microsoft on issue in view of more pointed warnings serverity of attacks.

here our isp's guidance:

*********beginning of isp guidance**********

"subject: increase in ntp ddos attacks targeting schools

 

center internet security (cis) aware of @ least 4 network time protocol (ntp) distributed denial of service (ddos) attacks targeting school districts in 2014, indicating possible trend of k-12 school district targeting ntp ddos attacks.

 

ntp protocol syncs clocks of networked machines , runs on port 123/udp. obscure command, “monlist,” allows requesting computer receive information regarding last 600 connections ntp server. ntp ddos attack uses ddos reflection , amplification: malicious actor spoofs victim's ip address , uses monlist command request ntp server send large amount of data victim. since requesting attacker sends request ntp server smaller amount of information returned, amplifies effect on victim.

 

recommendations:

  •          protective measures avoid participating in attack:
    •    upgrade ntp servers version 4.2.7 or later, removes monlist command entirely or implement version of ntp not utilize monlist command, such openntpd.
    •    if server cannot upgraded, monlist query feature can disabled adding “disable monitor” ntp.conf file , restarting ntp process.
    •    implement firewall rules restrict traffic ntp server unauthorized sources.
    •    instructions determining if ntp server vulnerable available @ openntpproject.org.
      •          ntp ddos attack remediation measures:
    •    establish , maintain effective partnerships internet service provider (isp) or upstream providers, may able assist in attack mitigation.
    •    provide attacking ip addresses isp in order implement restrictions @ level. has been reported filtering traffic @ upstream provider level source port 123 , packet size restrictions (i.e. 468 bytes, 482bytes) remediating attack.
    •    establish relationship company offers ddos mitigation services.
    •    apply firewall filter restricts traffic trusted addresses (including loopback address).
    •    enable firewall logging of accepted , denied traffic in order determine ddos may originating."

*********end of isp guidance**********

additionally, here link article juniper networks dealing in part active directory vulnerabilities: 

http://www.juniper.net/security/auto/vulnerabilities/vuln10980.html

our pdc emulator dc using ntp , external time servers are: north-america.pool.ntp.org,0x9 tock.usno.navy.mil,0xa

what steps need take respect active directory time service on pdc emulator , other dc's protect our network ddos ntp attacks? have fortigate 800-c firewall.

thanks,

scott mcintosh

hi,

have not received such feedbacks of ntp ddos attack against windows server. w32tm mechanism, use internal time source exclude possibility of vulnerability or assign internal server out time source synching, on behalf of pdc.

regards, brian

please remember click “mark answer” on post helps you, , click “unmark answer” if marked post not answer question. can beneficial other community members reading thread.



Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more