Think you have a false positive on this rule?

Sid 1-46387

Message

SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt

Summary

This event is generated when 5 or more NTP packet contains a zero-origin timestamp are sent within one second

Impact

Attempted Denial of Service

CVE-2018-7184:

CVSS base score

CVSS impact score

CVSS exploitability score

Confidentiality Impact

Integrity Impact

Availability Impact

CVE-2018-7185:

CVSS base score

CVSS impact score

CVSS exploitability score

Confidentiality Impact

Integrity Impact

Availability Impact

Detailed information

If an NTP packet containing a zero-origin timetamp is sent in some volume, then it could trigger a DoS condition with vulnerable versions of NTP package CVE-2018-7184: ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.

CVE-2018-7185: The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.

Affected systems

Ease of attack

Simple

False positives

Zero-origin timestamp is not against specification, however not common

False negatives

Corrective action

Update to 4.2.8p11 or beyond

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • support.ntp.org/bin/view/Main/NtpBug3453
  • support.ntp.org/bin/view/Main/NtpBug3454