Issue with NTP servers — The new DDoS target !!

Just like the DDoS is hitting web-servers and DNS servers, it has started hitting
the ntpd servers which are left open.

This is a very recent attack. The Network Time Protocol, or NTP, syncs time
between machines on the network, and runs over port 123 UDP. It’s typically
configured once by network administrators and often is not updated.

Recently there is a major jump in attacks via the protocol. Attackers appear to be
employing NTP for DDoSing similar to the way DNS is being abused in such attacks.
They transmit small spoofed packets requesting a large amount of data sent to the
DDoS target’s IP address. It’s all about abusing the so-called “monlist” command
in an older version of NTP. Monlist returns a list of the last 600 hosts that have
connected to the server.

To check if your ntp service is open/vulernable :

# ntpdc -c monlist IP ( See if it returns the list of hosts,
if it does, it is vulnerable )

To get around this,

# The easiest way to update to NTP version 4.2.7, which removes the monlist
command entirely.

# If upgrading is not an option, you can start the NTP daemon with noquery enabled
in the NTP conf file. This will disable access to mode 6 and 7 query
packets (which includes monlist).

Add the below lines to /etc/ntp.conf :


restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery


If monolist query is disabled,

# ntpdc -n -c monlist IP should return,

xx.xx.xx.xx: timed out, nothing received
***Request timed out

The basic issue is that all the ntp servers are left open, meaning any servers
can query them. For eg we have the following part in the config
file of a ntpd server :




– under this portion, either nothing would be given ( which means all can access/query )
or the following,

restrict mask notrust nomodify notrap

which means all can still access/query, in particular that range specified cannot do the
above 3 actions.

still this makes them an open ntpd service, which responds to the queries.

If the following was given,

restrict mask notrust noquery nomodify notrap

it implies all systems under the above n/w segment can access, but cannot
query, –similar to the 2 liner which is given irrespective of all n/w segments.

Before you become a part in the chain, take the preventive measures.

  • Rakesh

    What if the server is not acting as a ntp server? will this vulnerability affect it ?

    • joelta

      In most cases, ntpd daemon is left running in all servers even if the service is not used.
      If the service is not used, either turn it off or apply the fix to disable monlist query.
      Use this command to check if your sever is vulnerable or not – ntpdc -c monlist IP

  • sreejith

    Thank you for this post, was able to cut down an attack of around 80mb/s by applying the above fix.

    • joelta

      wow.. that’s cool 🙂