NTP reflection attack

Published: 2013-12-27
Last Updated: 2013-12-29 16:07:13 UTC
by Basil Alawi S.Taher (Version: 1)
9 comment(s)

Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it’s used to synch the time between client and server, it is a UDP protocol and it’s run on port 123.

In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host.

“In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:”


Here is an example of monlist request


Ntpdc –n –c monlist


  And here is the output

Or you can run a nse script which can be found at https://svn.nmap.org/nmap/scripts/ntp-monlist.nse       

And here is the packet capture of the NMAP script request:

And here is the packet capture of the response:

One way of protecting NTP server from such attack is adding


disable monitor


 To /etc/ntp.conf file

 And here is the output of the NMAP script after adding this command :


9 comment(s)
Diary Archives