Supermicro NTP DDoS Vulnerability

I received a notification that one of my dedicated servers was taking part in a NTP based DDoS reflection attack. At first I was like “No way!” since I don’t use NTP on any servers. Closer inspection of the source IP address revealed that the attack was coming from my Supermicro server’s built in IPMI controller. And indeed, Supermicro is using a vulnerable NTP version on its IPMI controllers:

ntpdc -n -c monlist
remote address port local address count m ver rstr avgint lstint
186.2.161.nnn 53842 76.20.120.nn 51127 7 2 0 0 0
217.147.208.n 123 76.20.120.nn 1 4 4 0 0 7
130.60.204.nn 123 76.20.120.nn 1 4 4 0 0 8

The quickest fix is to turn NTP sync off in IPMI as described here. If for some reason you have a requirement for NTP, here’s how to fix the Supermicro firmware on your own (not for the faint-hearted!).

Since Supermicro has a spotty track record when it comes to IPMI controller security, it’s highly recommended to define a set of jump hosts in the IP Access Control menu. Here’s a gotcha: the default policy is set to ACCEPT which means you have to add a DROP rule at the end with Obviously, a private VLAN would be the preferred way, but if no VLAN is available, IP access control comes in handy. The IP access control list will filter any traffic to the IPMI controller except for the defined IP ranges. It will block access to NTP as well.

Still waiting for Supermicro to finally fix the issue in a new firmware revision though…