NTP "monlist" Attack Quick Fix

By Christopher Stone
Published Feb 10, 2014
CC By-SA Licensed
Recently reflection-amplification attacks have been the hot topic of DDoS attacks. This is a situation where an attacker uses a unwitting third party to increase the attack targeted at their victim. In the case of NTP the attacker sends a request to a NTP time server, this request is quite small, asking for information about who the time server is communicating with (the so called "monlist"). The information returned is significantly more data than the original request, thus the amplication of the attack. Reflection attacks have been popular for a very long time as the traffic does not come from the attacker, but rather from unwitting third parties, thus making the identity of the attacker.

Versions of ISC NTPd up until 4.2.7 (released Dec 9, 2009) are vulnerable to this attack, the 4.2.7 version removed the "monlist" command because of this known vulnerability. The problem is that most systems on the Internet have not been updated. Many Unix-like operating systems were still distributing older versions of NTPd until recently. Insecurity is the price we pay when software becomes outdated.

The Quick Fix

 restrict default kod limited nomodify noquery nopeer notrap
Everyone running a publicly accessible NTP server should have that line in their ntp.conf file. It should be followed by exceptions for privileged systems (especially monitoring and management computers, and other time servers who will be peering). Specifically the "noquery" part disallows administrative-style information requests like "monlist". This does not block other computers from getting the time, that would be an "ignore" argument to the restrict directive.