NTP BUG 2942: Off-path Denial of Service (DoS) attack on authenticated broadcast mode
Last update: June 28, 2022 20:06 UTC (57417e17c)
An off-path attacker can send broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to broadcast clients. It is observed that the broadcast client tears down the association with the broadcast server upon receiving just one bad packet.
- Implement BCP-38.
- Upgrade to 4.2.8p6 or later.](/downloads/)
- Monitor your
- If this sort of attack is an active problem for you, you have deeper problems to investigate. Also consider having smaller NTP broadcast domains.
This weakness was discovered by Aanchal Malhotra of Boston University.