NTP: Monitor List Command
This signature detects the NTP command "monlist" sent from a client to a server. This command has been depreciated in ntpd versions 4.2.7 and above due to its usefulness as an unauthenticated traffic amplifier. While this is a valid command on versions below 4.2.7, its use is not recommended and normally not used on Internet traffic. Hits on this signature from the Internet are most likely "spoofed" UDP packets sent from an attacker in an attempt to trigger your organization's NTP server to flood the source IP - the real victim - with a large volume of traffic
Extended Description
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
Affected Products
Ntp ntp
References
CVE: CVE-2013-5211
Short Name
NTP:MONLIST-REQUEST
Severity
Warning
Recommended
False
Recommended Action
Drop
Category
NTP
Keywords
CVE-2013-5211 Command List Monitor
Release Date
01/29/2014
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3648
False Positive
Unknown
Vendors
Opensuse
Oracle
Ntp
CVSS Score
5.0