The Network Time Protocol (NTP) is a networking protocol for clock synchronization between IT systems. NTP supports a monitoring service that allows administrators to query the server for traffic counts of connected clients via the 'monlist' command.

Problem

The NTP 'monlist' feature can be abused for DDoS reflection attacks against third parties.

Verification

In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.

To check if an NTP server is openly accessible from the Internet and has the 'monlist' feature enabled, you can use 'ntpdc' like this:

# ntpdc -n -c monlist 192.168.45.67

An NTP server with the 'monlist' feature enabled will return a list of clients that recently queried the NTP server:

remote address          port local address      count m ver rstr avgint  lstint

===============================================================================

123.56.67.89             123 192.168.45.67       3559 4 4      0    446     119

34.56.78.90              123 192.168.45.67      16992 4 4      0    137     207

98.76.54.32              123 192.168.45.67      17005 4 4      0    137     232

111.22.33.44           58708 192.168.45.67          3 3 4      0 423826   72192

222.33.44.55           35560 192.168.45.67          8 3 4      0 180029  236607

33.44.55.66            59053 192.168.45.67          1 3 3      0 615565  615565

44.55.66.77            59040 192.168.45.67          2 3 4      0 637297  664374

If the list of clients is currently empty, it will instead return:

***Server reports data not found

If there is no openly accessible NTP server with the 'monlist' feature enabled, the request will run into a timeout: Timeout:

192.168.45.67: timed out, nothing received

***Request timed out

Solution

Update to ntpd version 4.2.7p26 or later. If an update is not possible, disable status queries in the NTP server's configuration or restrict access to trusted clients.

Further information

• Wikipedia: Network Time Protocol
• US-CERT: NTP Amplification Attacks Using CVE-2013-5211 (TA14-013A)
• CERT.org: NTP can be abused to amplify denial-of-service attack traffic (VU#348126)
• NTP.org: DRDoS / Amplification Attack using ntpdc monlist command