The Center for Internet Security (CIS) is aware of at least four Network Time Protocol Distributed Denial of Service attacks targeting school districts in 2014, indicating a possible trend of K-12 school district targeting.

The Network Time Protocol syncs the clocks of networked machines and runs over port 123/UDP. An obscure command, “monlist,” allows a requesting computer to receive information regarding the last 600 connections to the Network Time Protocol server. A Network Time Protocol Distributed Denial of Service attack uses Distributed Denial of Service reflection and amplification: a malicious actor spoofs the victim’s IP address and uses the monlist command to request that the Network Time Protocol server send a large amount of data to the victim. Since the requesting attacker sends a request to the Network Time Protocol server that is much smaller than the amount of information returned, it amplifies the effect on the victim.

RECOMMENDATIONS:
– Implement firewall rules that restrict traffic to the Network Time Protocol server from unauthorized sources.
– Instructions for determining if a Network Time Protocol server is vulnerable are available at http://openntpproject.org/

Please refer all questions regarding this advisory to RA-CISO@state.pa.us