Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

NTP reflection attack

Published: 2013-12-27
Last Updated: 2013-12-29 16:07:13 UTC
by Basil Alawi S.Taher (Version: 1)
8 comment(s)

Symantec has notice in the last few weeks that there is a significant NTP reflection attacks. NTP is Network time protocol and it’s used to synch the time between client and server, it is a UDP protocol and it’s run on port 123.

In the NTP reflection attack the attacker send a crafted packet which request a large amount of date send to the host.

“In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.  However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:”


Here is an example of monlist request


Ntpdc –n –c monlist


  And here is the output

Or you can run a nse script which can be found at       

And here is the packet capture of the NMAP script request:

And here is the packet capture of the response:

One way of protecting NTP server from such attack is adding


disable monitor


 To /etc/ntp.conf file

 And here is the output of the NMAP script after adding this command :


8 comment(s)
Diary Archives