Increase in Cybersecurity Attacks Targeting Schools
March 12, 2014
The Center for Internet Security (CIS) is aware of at least four Network Time Protocol Distributed Denial of Service attacks targeting school districts in 2014, indicating a possible trend of K-12 school district targeting.
The Network Time Protocol syncs the clocks of networked machines and runs over port 123/UDP. An obscure command, “monlist,” allows a requesting computer to receive information regarding the last 600 connections to the Network Time Protocol server. A Network Time Protocol Distributed Denial of Service attack uses Distributed Denial of Service reflection and amplification: a malicious actor spoofs the victim’s IP address and uses the monlist command to request that the Network Time Protocol server send a large amount of data to the victim. Since the requesting attacker sends a request to the Network Time Protocol server that is much smaller than the amount of information returned, it amplifies the effect on the victim.
RECOMMENDATIONS:
– Implement firewall rules that restrict traffic to the Network Time Protocol server from unauthorized sources.
– Instructions for determining if a Network Time Protocol server is vulnerable are available at http://openntpproject.org/
Please refer all questions regarding this advisory to RA-CISO@state.pa.us