Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 NTP:MONLIST-REQUEST-FLOOD

Severity

 Medium

Recommended

 Yes

Recommended Action

 Drop

Category

 NTP

Keywords

 Monitor List Command Flood

Release Date

 2014/01/29

Update Number

 2339

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

NTP: Monitor List Command Flood


This signature detects several NTP "monlist" commands sent in a short period of time from a client to a server. This could be an indication that someone is attempting to use your NTP server as a traffic amplifier to flood a remote victim. This command has been depreciated in ntpd versions 4.2.7 and above due to such abuse. While this is a valid command on versions below 4.2.7, its use is not recommended and normally not used on Internet traffic. Hits on this signature from the Internet are most likely "spoofed" UDP packets sent from an attacker in an attempt to trigger your organization's NTP server to flood the source IP - the real victim - with a large volume of traffic.

References

  • CVE: CVE-2013-5211

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out