NTP Amplification Attack
What is NTP Amplification Attack?
NTP Amplification AttackA reflection DDoS attack abusing the NTP MONLIST (and similar) commands to make NTP servers reply with very large packets to a spoofed victim address.
NTP amplification abuses misconfigured Network Time Protocol servers that respond to control queries — historically the MONLIST command in pre-4.2.7 ntpd — with up to 600 entries about recent clients. By sending small MONLIST queries with the victim's IP spoofed as the source, an attacker can elicit response packets roughly 200–500× larger, which are reflected to the victim. The technique drove some of the largest pre-2016 DDoS attacks. Defences include upgrading ntpd or restricting MONLIST and other commands ("noquery" / "limited" in ntp.conf), source-address validation (BCP 38), rate-limiting NTP responses, and using DDoS scrubbing for high-volume mitigation. Despite being well-known, vulnerable NTP servers still appear in scans.
● Examples
- 01
An attacker sends a small MONLIST query with the victim's IP spoofed; the server replies with kilobytes of monitoring data sent to the victim.
- 02
Hundreds of public NTP servers are used in parallel to direct hundreds of gigabits of reflected traffic at a target.
● Frequently asked questions
What is NTP Amplification Attack?
A reflection DDoS attack abusing the NTP MONLIST (and similar) commands to make NTP servers reply with very large packets to a spoofed victim address. It belongs to the Attacks & Threats category of cybersecurity.
What does NTP Amplification Attack mean?
A reflection DDoS attack abusing the NTP MONLIST (and similar) commands to make NTP servers reply with very large packets to a spoofed victim address.
How do you defend against NTP Amplification Attack?
Defences for NTP Amplification Attack typically combine technical controls and operational practices, as detailed in the full definition above.