Network Time Protocol (NTP) is an Internet standard protocol that is used to synchronize the clocks of devices to some time references. NTP can be used to synchronize the clocks among multiple distributed servers and clients. This way, the clocks of all devices on the Internet can be the same.


Attack mechanism

NTP is based on the UDP protocol and organized in a client-server model. UDP is a connectionless protocol and does not use a three-way handshake, which is used in TCP. Attackers can exploit this vulnerability of NTP to launch DDoS attacks. The following procedure shows an attack process:
  1. Identify targets of attacks, which include attack objects and NTP server resources on the network.
  2. Forge the IP address of an attack target and send clock synchronization requests by using the spoofed IP address to an NTP server. Attackers send requests that contain monlist commands, which increases attack severity.

    NTP includes a monlist feature, which is used to monitor NTP servers. The monlist feature has a vulnerability. After a NTP server responds to a monlist command, the server returns the IP addresses of the last 600 clients that have performed time synchronization with the NTP server. The system splits response packages every six IP addresses and returns up to 100 packages for a single monlist command. In this case, the NTP server is overwhelmed with an amplified amount of UDP traffic.

    Laboratory tests show that if a request packet is 234 bytes long, each response packet is 482 bytes long. The traffic is amplified by 206 times. This result is calculated by using the following formula: 482 × 100/234 = 206. The high volume of traffic overwhelms the network, and the services become unavailable.

Use one of the following methods to mitigate NTP-based DDoS attacks:
  1. Purchase sufficient bandwidth resources.
  2. Use DDoS mitigation services to scrub abnormal inbound traffic and redirect normal traffic to servers.
  3. Configure the firewall to allow only the traffic between the NTP servers and fixed IP addresses over the UDP port 123.
  4. Disable the monlist feature of the NTP server.
  5. Upgrade the NTP server version to 4.2.7 p26.

Applicable scope

  • Anti-DDoS Pro and Anti-DDoS Premium