The Network Time Foundation’s Network Time Protocol Project has patched multiple denial-of-service vulnerabilities with the release of ntp-4.2.8p9. The last update to the open source protocol used to synchronize computer clocks was in June.
“NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in DDoS (distributed denial-of-service) attacks,” the project maintainers wrote in the security advisory.
NTP is a widely used protocol, and has been hijacked several times over the past two years in distributed denial-of-service attacks. Attackers harness the power of the servers running NTP and amplify the amount of traffic — as much as 1,000 times the size of the initial query — sent to victim systems. Research from network security company Arbor Networks estimated that 85 percent of volumetric DDoS attacks exceeding 100Gbps in size were NTP reflection attacks.