ntp_request.c in ntpd in NTP prior to 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.
This module exploits a denial of service vulnerability within the NTP (network time protocol) demon. By sending a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun!
msf > use auxiliary/dos/ntp/ntpd_reserved_dos msf auxiliary(ntpd_reserved_dos) > show actions ...actions... msf auxiliary(ntpd_reserved_dos) > set ACTION <action-name> msf auxiliary(ntpd_reserved_dos) > show options ...show and set options... msf auxiliary(ntpd_reserved_dos) > run