NTP reflection attacks

NTP reflection attacks across the Internet.

reflection-attackNTP is the Network Time Protocol, it is a relatively obscure protocol that runs over port 123 UDP and is used to sync time between machines on a network. If you have ever set up a home computer or server and been asked which time server you want to use, that is an NTP connection.

NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don’t worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.

How do NTP reflection attacks work?

Similar to DNS amplification attacks, the attacker sends a small forged packet that requests a large amount of data be sent to the target IP Address.

In this case, the attackers are taking advantage of the monlist command. Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server. For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:

[user@server ~]# ntpdc -c monlist [hostname]
remote address          port local address      count m ver code avgint  lstint
localhost.localdomain  53949              1 7 2      0      0       0
tock.usshc.com           123 xxx.xxx.xxx.xxx        1 4 4    5d0      0      53           123 xxx.xxx.xxx.xxx        1 4 4    5d0      0      54
rook.slash31.com         123 xxx.xxx.xxx.xxx        1 4 4    5d0      0      55
eightyeight.xmission.c   123 xxx.xxx.xxx.xxx        1 4 4    5d0      0      56


Most scanning tools, such as NMAP, have a monlist module for gathering network information and many attack tools, including metasploit, have a monlist DDoS module.

How can you protect your servers? The easiest way to update to NTP version 4.2.7, which removes the monlist command entirely. If upgrading is not an option, you can start the NTP daemon with noquery enabled in the NTP conf file. This will disable access to mode 6 and 7 query packets (which includes monist).

By disabling monlist, or upgrading so the the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack.

NTP security notice

Reference: NTP public service project