Drastic decline in vulnerable NTP servers due to Heartbleed?

In light of the escalation of DDoS attacks used as a means of extorting money from online businesses, the news that there has been a significant decrease in vulnerable Network Time Protocol (NTP) servers that can be used in NTP amplification DDoS attacks is more than welcome.

The revelation comes from NSFOCUS researchers, who have been tracking the number of NTP servers exploited in amplification attacks since December of 2013.

Initially there were 432,120, and 1,224 of these were especially useful to attackers as they were capable of magnifying traffic by a factor greater than 700.

The latest scanning effort, made in May, revealed that many network and system administrators have heeded US-CERT’s warning and have disabled or restricted the monlist functions that allowed their servers to be used in attacks: the number of vulnerable NYTP servers has fallen to 17,647.

US-CERT weren’t the only ones warning about the danger presented by these servers – a number of companies have also reported on the rise of reflection and amplification DDoS attacks, and CloudFlare shared details about mitigating a big one that hit one of its customers.

While this dramatic drop in vulnerable servers is good news, the fact remains that over 17,000 servers can still be and is misused.

“Any amplification attacks are a cheap method for DDoS attackers to launch,” Terence Chong, Solutions Architect at NSFOCUS, commented for ThreatPost. “They can write a script that creates 10x to 500x amplification traffic volume that could bring down a site easily versus the traditional method of using botnets under their control to generate traffic themselves, which takes a lot of effort.”

So he urges administrators to upgrade ntpd to version 4.2.7p26 or later. “Users of earlier versions of 4.2.7p26 should either use noquery in the default restrictions to block all status queries, or use disable monitor to disable the ntpdc -c monlist command while still allowing other status queries,” the company cautioned.

SANS ISC handler Kevin Shortt confirmed that there has been a sharp decrease in vulnerable systems for the NTP monlist issue.

“I’d like to suggest that while pundits are citing slow progress for patching Heartbleed, that in actuality, the Heartbleed issue is responsible for the sudden change,” he wrote. “The month of May showed an extensive effort for patching and truing up patch levels because of Heartbleed. This effort likely assisted in the NTP issue being patched along with it.”