Information Security News
Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it’s used to synch the time between client and server, it is a UDP protocol and it’s run on port 123.
In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host.
“In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:”
Here is an example of monlist request
Ntpdc –n –c monlist 127.0.0.1
And here is the output
Or you can run a nse script which can be found at https://svn.nmap.org/nmap/scripts/ntp-monlist.nse
And here is the packet capture of the NMAP script request:
And here is the packet capture of the response:
One way of protecting NTP server from such attack is adding
To /etc/init.conf file
And here is the output of the NMAP script after adding this command :
Hope you had a fabulous Christmas for those who celebrate it, for those who do not, a hearty cheers to you!
In the spirit of a fabulous weekly service, DRG Weekend Reads, provided by our friends over at the Dragon Research Group, and courtesy of reader and contributor Gebhard, I offer you an additional list of great weekend reading items.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Opinion: How infosec training is changing to stay ahead
Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. Institutions of higher learning and professional certification programs are ...
When someone suspecting that a malware activity that may exist in a system or a compromised systemone of the most obvious places to check is the startup locations .In this diary I am going to discuss some of the startup locations in Windows Systems:
On Windows XP systems:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\%UserName%\Start Menu\Programs\Startup
On Windows Vista/7/8
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup
When an executable file (application or batch file) is located in the All Users folder will run for any user when he/she logon, while when it's located in particular user’s folder it will run only for that user when he/she logon.
Please note that the above locations are the default and it can be changed, I will suggest first to check the following registry keys:
On Windows XP /Windows Vista/7/8 (See figure 2):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
2013: The Year Of Security Certification Bashing
What can we do to help ourselves? First, we have to act as a community. There definitely are charlatans out there, and maybe places like attrition.org are useful in bringing them to light. But is a public flogging truly the solution? The InfoSec ...
NEC, Mitsubishi Corp. to form information security joint venture
NEC Corp. and Mitsubishi Corp. said Dec. 25 that the electronics company and the trading house will form a joint venture to strengthen their presence in the rapidly growing cyber-security services field. NEC will acquire a 60-percent equity stake in ...