Network Time Protocol (NTP) is an Internet standard protocol that is used to synchronize the clocks of computers to some time reference. It uses a hierarchical, semi-layered system of time sources. The NTP network architecture consists of primary time servers, secondary time servers, and clients. In this architecture, the primary time servers reside in root nodes and are synchronized to a reference clock that is directly traceable to UTC. These primary time servers provide time services downstream to the secondary time servers, and the clients are synchronized to the secondary time servers.


Attack mechanism

NTP is based on the UDP protocol and organized in a client-server model. UDP is a connectionless protocol and does not use a three-way handshake, which is used in TCP. Attackers can exploit this vulnerability of NTP to launch DDoS attacks. The following shows an attack process:
  1. Identify targets of attacks, which include attack objects and NTP server resources on the network.
  2. Forge the IP address of an attack target and send clock synchronization requests with the spoofed IP address to an NTP server. Attackers send requests that contain monlist commands, which increases attack severity.

    NTP includes a monlist function, which is used to monitor NTP servers. The monlist function has a security vulnerability. After a NTP server responds to a monlist command, the server returns the IP addresses of the last 600 clients that have performed time synchronization with the NTP server. The system splits response packages every six IP addresses and returns up to 100 packages for a single monlist command. In this case, the NTP server is overwhelmed with an amplified amount of UDP traffic.

    Laboratory tests show that if a request packet is 234 bytes long, each response packet is 482 bytes long. Based on this, the traffic is amplified by 206 times. This result is calculated by using the following equation: 482 × 100/234 = 206. The high volume of traffic overwhelms the network, and the services become unavailable.

Use one of the following methods to mitigate NTP-based DDoS attacks:
  1. Purchase sufficient bandwidth resources.
  2. Use DDoS mitigation services to scrub abnormal inbound traffic and redirect normal traffic to servers.
  3. Configure the firewall to allow only the traffic between the NTP servers and fixed IP addresses on the UDP port 123.
  4. Disable the monlist feature of the NTP server.
  5. Upgrade the NTP server version to 4.2.7 p26.

Application scope

  • Anti-DDoS Premium and Anti-DDoS Pro