NTP amplification attack

An NTP amplification attack is a form of distributed denial of service (DDoS) attack that uses the Network Time Protocol (NTP) to multiply data. The attacker sends fake requests to unprotected NTP servers, which are sent back to a target with much larger responses, overloading and paralyzing the target’s network. 

How does an NTP amplification attack work?

An NTP amplification attack is a specialized Distributed Denial of Service (DDoS) attack that abuses the NTP to greatly amplify traffic and disrupt or completely paralyze the availability of a target system. This attack exploits the possibility that NTP servers can respond to small requests with much larger responses, and combines this with IP spoofing to flood the target with massive amounts of traffic.  

1. Fake requests (IP spoofing):

The attacker sends requests to a number of NTP servers, manipulating the source address of the packets so that they carry the target’s IP address. This trick – called IP spoofing – ensures that the responses from the NTP servers are sent to the victim, rather than to the actual sender (the attacker). These requests are often very small in order to launch a large attack with minimal effort. 

2. Traffic amplification:

The NTP protocol is designed to respond to certain requests with extensive information. One particularly vulnerable command is the so-called monlist command, which returns a list of the last 600 connections to the NTP server. The attacker sends a very small request (e.g., 1 byte), but in response to the NTP server receives data packets that can be 20 to 200 times larger (e.g., 1000 to 2000 bytes). This significantly increases traffic without the attacker having to use much bandwidth themselves. 

This amplification makes the attack particularly effective. A single attacker can make simultaneous requests to multiple servers with little effort, generating a huge amount of data that is then sent to the target. 

3. Network congestion (denial of service):

The responses from the NTP servers triggered by the spoofed requests are sent to the spoofed sender address, i.e., to the victim. Since these responses are many times larger than the original requests, the victim’s network or server resources are quickly overloaded. Depending on the extent of the attack, this can cause the victim’s network traffic to be blocked, services to fail, or the entire server to crash. 

Why is NTP vulnerable?

The NTP is used primarily to synchronize clocks in computer networks. It runs by default on port 123 and is often publicly accessible because many systems depend on accurate time stamps. In particular, older versions of NTP contain functions such as the monlist command, which return large amounts of information. Many of these older servers are often poorly configured, making them vulnerable to amplification attacks. 

Amplification Rate

The amplification rate in an NTP amplification attack describes the ratio between the size of the request and the response. This rate can be 20 to 200 times the original request, depending on the NTP configuration. This means that if the attacker exploits several NTP servers at the same time, they can generate enormous amounts of data with minimal resource usage. 

How can an NTP amplification attack be detected?

A NTP amplification attack can be detected by the analysis of a number of specific signs. 

• Sudden network congestion: A significant increase in data traffic that overloads bandwidth and causes a deterioration or interruption of services can be an early sign. 
• Increase in incoming UDP traffic on port 123: NTP uses this port by default. An unusual increase in UDP data on this port indicates suspicious activity. 
• Unusual outbound traffic from internal NTP servers: If internal servers are unprotected, increased bandwidth usage can occur due to large, unexpected amounts of data being sent to fake destination addresses. 
• IP spoofing patterns: The occurrence of requests with fake source IP addresses indicates attacks. Network monitoring tools can help identify these requests. 
• Alerts from intrusion detection systems (IDS): IDS/IPS systems are able to recognize and trigger alerts based on known signatures of NTP amplification attacks. 
• Log analysis of NTP servers: Server logs may indicate a suspicious number of monlist or similar requests, which typically occur in such attacks. 

How can you protect against NTP amplification attacks?

To protect against NTP amplification attacks, various technical measures are necessary to secure both NTP servers and networks. The first step is to ensure that all NTP servers are updated to the latest version. This is critical because newer versions of NTP have disabled by default many known vulnerabilities, such as the monlist command. If using older versions of NTP is unavoidable, the monlist command should be manually disabled. 

Another effective protective measure is to restrict access to NTP servers by configuring them to ensure that only trusted IP addresses can make requests. Firewalls and access control lists (ACLs) are useful tools for this purpose, as they can block unwanted UDP traffic on port 123. To further secure NTP servers, they should not be made publicly accessible unless absolutely necessary. 

A key point in preventing IP spoofing is filtering incoming and outgoing data traffic. Internet service providers (ISPs) should use so-called ingress and egress filters to prevent fake IP addresses from entering or leaving the network. 

Regular network monitoring is another important element in the early detection of an NTP amplification attack. Intrusion detection systems (IDS) or intrusion prevention systems (IPS) are able to recognize known attack patterns and trigger warnings. 

Effective protection against NTP amplification attacks

If you have any questions or are looking for a proven protection solution, you can contact us at any time. Our cyber security experts will be happy to advise you and work with you to find the best possible solution.

Contact us now >>

Share this post