Just like the DDoS is hitting web-servers and DNS servers, it has started hitting
the ntpd servers which are left open.
This is a very recent attack. The Network Time Protocol, or NTP, syncs time
between machines on the network, and runs over port 123 UDP. It’s typically
configured once by network administrators and often is not updated.
Recently there is a major jump in attacks via the protocol. Attackers appear to be
employing NTP for DDoSing similar to the way DNS is being abused in such attacks.
They transmit small spoofed packets requesting a large amount of data sent to the
DDoS target’s IP address. It’s all about abusing the so-called “monlist” command
in an older version of NTP. Monlist returns a list of the last 600 hosts that have
connected to the server.
To check if your ntp service is open/vulernable :
# ntpdc -c monlist IP ( See if it returns the list of hosts,
if it does, it is vulnerable )
To get around this,
# The easiest way to update to NTP version 4.2.7, which removes the monlist
# If upgrading is not an option, you can start the NTP daemon with noquery enabled
in the NTP conf file. This will disable access to mode 6 and 7 query
packets (which includes monlist).
Add the below lines to
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
If monolist query is disabled,
# ntpdc -n -c monlist IP should return,
xx.xx.xx.xx: timed out, nothing received
***Request timed out
The basic issue is that all the ntp servers are left open, meaning any servers
can query them. For eg we have the following part in the config
file of a ntpd server :
# — CLIENT NETWORK ——-
– under this portion, either nothing would be given ( which means all can access/query )
or the following,
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
which means all can still access/query, in particular that range specified cannot do the
above 3 actions.
still this makes them an open ntpd service, which responds to the queries.
If the following was given,
restrict 192.168.1.0 mask 255.255.255.0 notrust noquery nomodify notrap
it implies all systems under the above n/w segment can access, but cannot
query, –similar to the 2 liner which is given irrespective of all n/w segments.
Before you become a part in the chain, take the preventive measures.