Derek Andrew Derek.Andrew at
Mon Jan 13 21:13:18 UTC 2014

nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP

On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch <jared at> wrote:

> Greetings,
> With the recent increase in NTP attacks, I wanted to advise the community
> of a few things:
> There are about 1.2-1.5 million of these servers out there.
> 1) You can search your IP space to find NTP servers that respond to the
> ‘MONLIST’ queries.
> 2) I’ve found some vendors have old embedded versions of NTP including
> ILO/Service Processors and other parts of the “internet of things”.
> 3) You want to upgrade NTP, or adjust your ntp.conf to include ‘limited’
> or ‘restrict’ lines or both.  (I defer to someone else to be an expert in
> this area, but am willing to learn :) )
> 4) Please prevent packet spoofing where possible on your network.  This
> will limit the impact of spoofed NTP or DNS (amongst others) packets from
> impacting the broader community.
> 5) Some vendors don’t have an easy way to alter the ntp configuration, or
> have not or won’t be updating NTP, you may need to use ACLs, firewall
> filters, or other methods to block this traffic.  I’ve heard of many
> routers being used in attacks impacting the CPU usage.
> Take a moment and see if your devices respond to the following
> query/queries:
> ntpdc -n -c monlist
> ntpdc -n -c loopinfo
> ntpdc -n -c iostats
> 6) If you do VMs/Servers and have a template, please make sure that they
> do not respond to NTP requests.
> Thanks!
> - Jared

Copyright 2014 Derek Andrew (excluding quotations)

+1 306 966 4808
Information and Communications Technology
University of Saskatchewan
Peterson 120; 54 Innovation Boulevard
Saskatoon,Saskatchewan,Canada. S7N 2V3
Timezone GMT-6

Typed but not read.

More information about the NANOG mailing list