An old time NTP DDoS lingering on


A few years later and there is still an old time DDoS lingering on abusing part of the NTP protocol:

  • This DDoS abuses the ntpdc monlist” command to generate a DDoS “Amplification Attack”
  • All this has been long ago known and long ago fixed 2010/04/24: – Amplification Attack using ntpdc monlist command
  • A good brief example charting what that looks like for someone caught in the middle is kindly given by: Micron21 – NTP Reflection (Amplification) DDoS Attack
  • And all this hit the news earlier this year (2014) with what I saw as some rather sensationalist press from a certain ‘victim’ showing off how much internet bandwidth they have and how they successfully rode through it all weathering supposedly the worlds greatest attack! A figure of 400Gbit/s was boasted…
  • A long winded summary is given by NTP and the Winter of 2013 Network DRDoS Attacks
  • Until the more recent abuse of the monlist request, NTP had suffered relatively few abuses (all ‘inadvertent’?): NTP server misuse and abuse
  • Briefly, the “monlist” request to an ntp server returns a list of up to 600 recently seen connections. Hence, a small request of a few bytes generates a long list of many hundreds or thousands of bytes to be returned. Combined with that amplification, the IP address used for a UDP attack is forged to direct the reply to swamp whatever intended victim…

The fix:

For those running ntpd software from, one fix is to use version 4.2.7p26 or later which sets “monlist” to be disabled by default.

For prior versions (Gentoo presently uses ntp 4.2.6_p5-r10, as of July 2014), the fix is simply to deny the “monlist” function to external addresses, or to disable the function completely. That is done with the one line in /etc/ntp.conf:

restrict default noquery

A more complete example with comments is to include in /etc/ntp.conf:

# To avoid ntp amplification attack for ntp versions prior to 4.2.7p26:
# disable monitor
# Or use:
# restrict default noquery
# From man ntpd.conf for noquery: "Deny ntpq(8) and ntpdc(8) queries. Time service is not affected."

# To allow machines to synchronize
# their clocks with your server, but ensure they are
# not allowed to configure the server or to be used as peers
# to synchronize against, but allow everything for localhost:
restrict default noquery nomodify nopeer notrap limited

Malingering on?

And for some connections I monitor, I’m seeing the ntp monlist DDoS being attempted still!

All from old-time zombies/bots running headless that have yet to die? Or is there still an ongoing active attack?

Disabling the ntp monlist is the most effective way to avoid swamping your outbound connections with contributing to the DDoS. However, if your internet connections are themselves old-timers or just long-standing and so are targets for excessive attempts, then using traffic management, rate limiting, and automatically updated blacklists may well be needed also still!

Leave a Reply