Background
Network Time Protocol synchronizes computer clock times across the internet. NTP uses Coordinated Universal Time (UTC) to synchronize computers with millisecond accuracy. UTC time is obtained using accurate clocks, such as a GPS receiver that gets the time from satellites. NTP is a UDP-based service, using port 123.
NTP Reflection Attacks
The observed manner, in which this attack is generated, is as follows: The attacker sends spoofed NTP packets, containing monlist request code, to the vulnerable NTP servers. Monlist is a command requesting a list of the last 600 hosts who connected to the addressed NTP server. The NTP servers then send large replies to the spoofed IP, the victim, thus flooding the victim. This attack generates a great deal of traffic and can easily cause DoS. One can avoid being used as a reflector by updating the NTP server to NTP 4.2.7, where monlist queries are replaced with the mrunlist function, which is able to authenticate the source IP address as the real client.
Additional Information