NTP and other UDP-based protocols can be used to amplify denial-of-service attacks. Servers running the network time protocol (NTP) based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected denial-of-service (DRDoS) attack. Other proprietary NTP implementations may also be affected. This is similar in scope to DNS Amplification Attacks. In a reflected denial-of-service attack, the attacker spoofs the source address of attack traffic, replacing the source address with the target's address. Certain NTP control messages provide significant bandwidth amplification factors (BAF).



NTP is designed for time synchronization, and may also implement other features such as server administration, maintenance, and monitoring. NTP relies on the user datagram protocol (UDP) to send and receive messages, which does not validate the source (IP address) of the sender. The NTP DRDoS attack is similar to the reflective DoS attacks used on open DNS resolvers. The attacker sends a packet with their source address being the IP of a victim. The NTP server replies to this request, but the number of bytes sent in the response is an amplified amount compared to the initial request, resulting in a denial-of-service on the victim. The two highest message types, REQ_MON_GETLIST and REQ_MON_GETLIST_1 amplify the original request by a factor of up to 3660 and 5500 respectively. This bandwidth amplification factor (BAF) is a bandwidth multiplier based on the number of UDP payload bytes that are sent by the server in comparison to the UDP payload bytes of the request. Other message types can also be used in this attack, but REQ_MON_GETLIST and REQ_MON_GETLIST_1 create the biggest impact.



This vulnerability contains elements of CWE-406: Insufficient Control of Network Message Volume (Network Amplification).



More information can be found in Christian Rossow's "Amplification DDoS Attacks (Ab)using NTP Servers" blog post.



In April 2014, Rapid7 published R7-2014-12 documenting additional NTP commands that can amplify traffic and disclose potentially sensitive information.