NTP Reflected Flood

January 19, 2014 01:00 PM


Network Time Protocol synchronizes computer clock times across the internet. NTP uses Coordinated Universal Time (UTC) to synchronize computers with millisecond accuracy. UTC time is obtained using accurate clocks, such as a GPS receiver that gets the time from satellites. NTP is a UDP-based service, using port 123.

NTP Reflection Attacks

The observed manner, in which this attack is generated, is as follows: The attacker sends spoofed NTP packets, containing monlist request code, to the vulnerable NTP servers. Monlist is a command requesting a list of the last 600 hosts who connected to the addressed NTP server. The NTP servers then send large replies to the spoofed IP, the victim, thus flooding the victim. This attack generates a great deal of traffic and can easily cause DoS. One can avoid being used as a reflector by updating the NTP server to NTP 4.2.7, where monlist queries are replaced with the mrunlist function, which is able to authenticate the source IP address as the real client. 

Additional Information

For additional information regarding the threat, read the full Threat Alert.

Download Now

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center