Fighting Back Against Network Time Protocol DDoS Attacks
Posted by Stuart Thomason on 29 January 2014 10:38

Recent news has revealed that attackers have found a way to manipulate a widely forgotten network protocol in a fresh spin on distributed-denial-of-service (DDoS) attacks, after researchers discovered a spike in supposed NTP reflection attacks during a one month period.

Network Time Protocol (NTP) synchronises time across devices on a network and operates over port 123 UDP. It’s often configured just once by network administrators and, according to researchers Symantec, is rarely updated.

Symantec have been credited with identifying the increased number of attacks via the protocol in recent months. In a statement from Symantec researcher, Allan Liska, he said:“NTP is one of those set-it-and-forget-it protocols that is configured once, and most network administrators don’t worry about it after that.”

He added:“Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks.”

In a statement from Galleon Systems, they said: “Your system is only vulnerable from an internal perspective if the attacker has a working knowledge of Network Time Protocol. From an external perspective (over the internet) your system is vulnerable if you have a 123 UDP port open in your firewall and your Network Time Server has access to the internet.”

It’s understood that attackers are targeting the ‘monlist’ command of NTP server’s, which can be run by any remote client.

The monlist obtains an NTP Server’s monitor data and records information about the most recent NTP packet sent by a host to the target including the source and destination addresses and the NTP version mode of the packet. This information makes it feasible to classify associated hosts as Servers, Peers and Clients.     

Mr Liska provides a synopsis as to the intention of the attackers, he says: “Attackers appear to be employing NTP for DDoSing similar to the way DNS is being abused in such attacks. They transmit small spoofed packets requesting a large amount of data sent to the DDoS target’s IP address.” 

He added: “It’s all about abusing the so-called ‘monlist’ command in an older version of NTP. Monlist returns a list of the last 600 hosts that have connected to the server.“For attackers the ‘monlist’ query is a great reconnaissance tool. For a localised NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic.”

In order to combat remote ‘abuse’ of the ‘monlist’ command Galleon Systems advises adding the following lines to the ‘NTP Customisation’ page of the Web Configuration.

restrict -4 default kod notrap nomodify nopeer noquery

restrict -6 default kod notrap nomodify nopeer noquery


restrict ::1

Once you have entered these commands, you will need to click save at the bottom of the page, navigate to the ‘save setting to flash’ page and complete this action. You will then be required to reboot the unit in order for the changes to take effect.

Queries or concerns about DDoS attacks? Contact Galleon Systems Support.

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please complete the below captcha challenge (we use this to prevent automated submissions).