- Red Hat Enterprise Linux 4
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
How to deal with CVE-2013-5211?
Why does monlist in NTP allow remote attackers to cause a denial of service (DOS Attack)?
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
This issue does not affect the default configuration of ntp packages shipped with Red Hat Enterprise Linux, which does not allow remote ntpd control queries.
User changing ntpd access control configuration should consider reviewing additional information provided via Bug 1047854 to avoid exposing their systems to this traffic amplification issue.
Disable the monitor functionality in ntpd if you had previously changed the default configuration to enable it.
There are two workarounds
- Firstly, use
noqueryin your default restrictions to block all status queries. Add the
noquerydirective to the
restrict defaultline in the system’s
/etc/ntp.conf, as shown below:
# vi /etc/ntp/ntp.conf restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery
- Secondly, to disable
monlistfunctionality on a public-facing NTP server that cannot be updated to 4.2.7. Use
disable monitorto disable the
ntpdc -c monlistcommand while still allowing other status queries.
# vi /etc/ntp.conf disable monitor
The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the
The basic attack technique consists of an attacker sending a
get monlistrequest to a vulnerable NTP server, with the source address spoofed to be the victim’s address.
- Entering the following commands can help users verify if the
REQ_MON_GETLIST_1responses of NTP are currently enabled:
ntpq -c rv <NTP_SERVER> ntpdc -c sysinfo <NTP_SERVER> ntpdc -n -c monlist <NTP_SERVER>
- Red Hat Enterprise Linux
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.