NTP Reflection Attack

cdmosscdmoss Member ✭✭
Hello All,
This aflex may be used to protect against a NTP Reflection Attack (CVE-2013-5211). Apply this to the virtual service for NTP, udp port 123.

# This aFleX detects and drops the NTP Reflection attack -reject Monlists
# Refer to https://www.us-cert.gov/ncas/alerts/TA14-013A

when CLIENT_DATA {
binary scan [UDP::payload 4] cccc b1 b2 b3 b4
if { [expr $b1 & 135] == 7 and [expr $b2 & 128] == 0 and $b4 == 42 } {
log local0. "NTP Amp Attack detected Ref: CVE-2013-5211 \
from [IP::client_addr] to NTP server at [IP::local_addr]\n"
drop
}
}

Comments

Sign In or Register to comment.