NF – NTPD Kiss-o’-Death – Peer Polling Interval 10

The rule detects NTPD (Network Time Protocol Daemon) Kiss-o'-Death packets with a peer polling interval of 10. NTPD Kiss-o'-Death packets are used to signal to an NTP server that it should stop sending time updates to the client for a specified interval. The rule can help identify potential NTP-related issues or attacks involving NTP servers and clients with specific polling intervals.

Categories:

ID Number

5019501

Signature

alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"NF - NTPD Kiss-o'-Death - Peer Polling Interval 10"; content:"|e4 00 0a|"; offset:0; depth:3; content:"|52 41 54 45|"; distance:5; within:15; reference:url,www.cs.bu.edu/~goldbe/NTPattack.html; reference:cve,2015-7704; reference:url,networkforensic.dk; metadata:05032016; classtype:bad-unknown; sid:5019501; rev:1;)

MITRE ATT&CK Technique

-

Severity

Medium

Recommendations/Investigative actions

Ensure that you are using the latest version of NTP software on your NTP servers and clients. Keep the software up-to-date with the latest vendor-released patches.Configure your NTP servers to only allow requests from trusted sources. Implement access control lists (ACLs) to restrict NTP traffic to authorized clients. Set up firewall rules to restrict external NTP traffic to specific NTP servers. Block NTP traffic from untrusted or unauthorized sources. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate the file and the relevant IP address.