cve-2013-5211 Vulnerability Description:
Cve-2013-5211 was first announced January 10, 2014, because NTP itself does not verify the sender's source IP address. This is similar to the DrDoS (distributed reflection denial of service attack) used by the DNS parser. The attacker hack sent a forged message to the NTP server server A, changing the source IP address in the packet to the IP address of victim client A. NTP Server A responds to this request, and the number of bytes sent by the response packet is a magnified amount relative to the initial request, causing the victim client A to be attacked by DOS. The highest two message types: Req_mon_getlist and req_mon_getlist_1, magnify the original request by a factor of up to 3660 and 5500 respectively.
"Solution":
Amplified reflection Dos attacks are caused by cve-2013-5211. And this vulnerability is related to the Molist function. The previous version of NTPD4.2.7P26 will respond to the Mode7 "monlist" request in NTP. NTPD-4.2.7P26 version, the "Monlist" feature has been banned, replaced by the "MRUList" feature, the use of MODE6 control messages, and the implementation of the handshake process to prevent the third party to enlarge the attack on the host.
Operation Steps:
echo "Disable Monitor" >>/etc/ntp.conf
Restart NTP service
Verify:
Run # NTPDC
Ntpdc> monlist
Server reports data not found
Ntpdc>
At this point the monlist has been disabled and will not affect its time synchronization. Or add the following two lines to the configuration file and restart the NTP service:
Restrict default Kod nomodify notrap nopeer noquery
restrict-6 default Kod nomodify notrap nopeer noquery