US-CERT Warns of NTP Amplification Attacks

US-CERT issued an alert warning of the recent rash of network time protocol (NTP) amplification attacks. NTP attacks have been blamed for recent DDoS attacks against popular online gaming sites.

US-CERT has issued an advisory that warns enterprises about distributed denial of service attacks flooding networks with massive amounts of UDP traffic using publicly available network time protocol (NTP) servers.

Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists is a classic set-and-forget feature and is used generally to sync clocks between servers and computers. The protocol is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

“This response is much bigger than the request sent making it ideal for an amplification attack,” said John Graham-Cumming of Cloudflare.

According to US-CERT, the MON_GETLIST command allows admins to query NTP servers for traffic counts. Attackers are sending this command to vulnerable NTP servers with the source address spoofed as the victim.

“Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” the US-CERT advisory says. “Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.”

To mitigate these attacks, US-CERT advises disabling the monlist or upgrade to NTP version 4.2.7, which also disables monlist.

NTP amplification attacks have been blamed for recent DDoS attacks against popular online games such as League of Legends, and others. Ars Technica today reported that the gaming servers were hit with up to 100 Gbps of UDP traffic. Similar traffic amounts were used to take down American banks and financial institutions last year in allegedly politically motivated attacks.

“Unfortunately, the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built-in commands will send a long reply to a short request,” Graham-Cumming said. “That makes it ideal as a DDoS tool.”

Graham-Cumming added that an attacker who retrieves a list of open NTP servers, which can be located online using available Metasploit or Nmap modules that will find NTP servers that support monlist.

Graham-Cumming demonstrated an example of the type of amplification possible in such an attack. He used the MON_GETLIST command on a NTP server, sending a request packet 234 bytes long. He said the response was split across 10 packets and was 4,460 bytes long.

“That’s an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate,” Graham-Cumming said.

“This particular NTP server only had 55 addresses to tell me about. Each response packet contains 6 addresses (with one short packet at the end), so a busy server that responded with the maximum 600 addresses would send 100 packets for a total of over 48k in response to just 234 bytes. That’s an amplification factor of 206x!”

Suggested articles


  • Chris on

    Great. Lets disable the internet because idiot ISPs are routing spoofed packets. How about someone fix the problem, instead of shooting all the messengers (DNS, NTP, ...)?
    • Jovan on

  • Eric on

    I said the same thing before I scrolled down and saw your comment
  • Heath Burt on

    I love when the "fix" advised is disable the feature...really? its a bit like saying abstinence is the only "fix" for stopping the spread of STDs.
    • Matt Henderson on

      You can't disable the "feature" of thousands of remote NTP servers that are not at version 4.2.7 if you are under attack. Plus, even if NTP traffic is blocked by the host, all the routers that serve the host being attacked would still try to forward the traffic. Really, this is just another example of the risk inherent in using the internet. The infrastructure is weak to the point where there could be a massive lack of availability of the internet. If that happens, there are global consequences as a major source of collective productivity instead becomes just the opposite.
  • Matt Henderson on

    I think the internet needs to build upon node reliance by the internet gatekeepers. Ideally, the ISPs should check a nodes traffic protocols, query the node for the digitally signed implementation and version, issue a warning if not current, and block traffic if the version is exploited. If the traffic is blocked early enroute to its target, the DDOS attack fails. Added bonus is that nodes would know when patches were available for software then are currently using. Enforcing banned exploited versions could be a collective agreement all internet users should abide by to share use of the internet...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.