Article overview

Help article

How do I protect my NTP server against use in amplification attacks?

Vulnerable NTP servers can be used as reflector in distributed reflected denial of service (DDoS) attack. In this tutorial we explain how to protect the NTP server on your Linux VPS.

 

Step 1

First, make sure that your operating system is up-to-date and all updates have been installed. This bug in the NTP deamon dates from 2010 and more recent versions are not vulnerable to this attack.


 

Step 2

Check if your own NTP server is vulnerable (Linux/FreeBSD server) using the command:

ntpd --version

This will show you the version of your NTP. It has to be 4.2.7p26 or higher. Alternatively you can test this using the command:

ntpdc -n -c monlist localhost

If you see a list of server addresses, your server is responding to the MONLIST attack.


 

Step 3

If your NTP server is vulnerable, add the following lines in /etc/ntp.conf (the file location may vary depending on your OS):

restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
disable monitor

If you do not need your NTP server to respond on your public IP address, also add the following lines to your config:

restrict 127.0.0.1
restrict ::1

 

Step 4

Restart the NTP deamon to apply the changes:

/etc/init.d/ntp restart

You can use the following command to verify that your NTP server is not vulnerable anymore:

ntpdc -n -c monlist localhost

 

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.