Skip to content

NTP Reflection Distributed Denial of Service (DDoS) Attacks

Symantec, the computer security solutions company, has reported a large number of NTP reflection distributed denial of service (DDoS) attacks over the December 2013 Christmas period.

What is a NTP Reflection Attack?

A reflection attack is conducted by an attacker sending a small forged packet of information to a server that requests a much larger packet of information be sent to a target IP address. In the case of NTP, attackers are targeting the ‘monlist’ function.

The monlist function can be used remotely to instruct a NTP server to send a list of the last 600 hosts that have contacted the server. This function potentially provides attackers with an ideal facility to carry out a DDoS attack because a small packet of information can redirect a large amount of traffic to a designated host.

By disabling the monlist function in your NTP server, you can protect yourself from being inadvertently involved in a DDoS attack by hackers.

Disabling the ‘Monlist’ Function

The monlist function can easily be disabled by simply specifying the ‘restrict’ function in the NTP configuration file. Simply log onto the SR-series configuration pages using a web-browser and select the NTP button to go to the ‘NTP Configuration Menu’. Then select the ‘Edit NTP Configuration’ button to go to the ‘Edit Additional NTP Options’ page. Here you can enter the restrict function in the format below to disable the monlist function:

restrict default kod nomodify notrap nopeer noquery

When the restrict function has been added to the configuration file, save the file by clicking the ‘Save File’ button. The ‘NTP Configuration Menu’ will now be re-displayed. The NTP service now needs to be restarted for the changes to take effect by clicking the ‘Submit’ button.

Check the Log messages for any configuration errors to ensure that the command has been accepted by the NTP service and not mistyped. NTP only reports errors, so if there are no errors reported for the modified configuration, it will have been successfully accepted. However, if you see an error similar to the one below, check that you did not mistype the restrict configuration line in the NTP configuration file.

Jan 20 11:56:29 (none) daemon.err ntpd[1384]: 
     configure: keyword "restrictt" unknown, line ignored

If no error is present in the log file, the monlist function should now be disabled. After restarting the NTP service, it will take 15 to 20 minutes for NTP to restart and re-synchronize itself to the configured reference clocks.