SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.
SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt
This event is generated when 5 or more NTP packet contains a zero-origin timestamp are sent within one second Impact: Attempted Denial of Service Details: If an NTP packet containing a zero-origin timetamp is sent in some volume, then it could trigger a DoS condition with vulnerable versions of NTP package Ease of Attack: Simple
No public information
Known false positives, with the described conditions
Zero-origin timestamp is not against specification, however not common
Cisco Talos Intelligence Group
Tactic:
Technique:
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
CVE-2018-7184ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704. |
|
|||||||||||||||||||||||||
CVE-2018-7185The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association. |
|