Disable NTP Monitoring

Please Note:

The text on this page was translated by translation software. A revised version from our editors will be available soon.

For Server with Linux

In this article you will learn how to disable NTP monitoring on your server.

By disabling NTP monitoring, you can prevent misuse of this service for a Distributed Reflected Denial of Service (DRDoS) attack.

What is NTP?

"Network Time Protocol" is a service on UDP port 123 which is responsible for time synchronization between client and server.

NTP monitoring favors DRDoS attacks

The NTP server logs all requests for time synchronization. This protocol can be retrieved externally using the NTP command monlist.

Attackers use this to generate a response with a small request. This is up to 200 times larger than the request itself. In the requesting package, the source IP is replaced by the IP of the server to be attacked. Since this function can therefore easily be misused for DRDoS attacks, NTP monitoring should be deactivated if possible.

Windows systems are not affected by this, since the "monlist" function is not integrated in Microsoft's NTP server; operators of a Windows server therefore do not need to become active here.

To check whether NTP monitoring is active

Use the following command to check whether monitoring is active on your server and whether it is therefore vulnerable to a corresponding attack:

root@s12345678:/# ntpdc -n -c monlist 127.0.0.1
***Server reports data not found

In the example above, monitoring is already deactivated, i.e. no further steps would be necessary here.

If monitoring is active, the result is something like this:

root@s12345678:/# ntpdc -n -c monlist 127.0.0.1
remote address port local address count m ver rstr avgint lstint
===============================================================================
78.47.xxx.x 123 87.106.132.xxx 10089 4 4 1d0 976 357
2001:a60::xxx:2 123 2001:8d8:xxx:xxxx::xx:91ef 10095 4 4 1d0 975 731
178.63.xxx.xxx 123 87.106.132.xxx 10082 4 4 1d0 976 888

To prevent your server from being abused for these types of attacks, you should disable NTP monitoring.

To disable NTP monitoring

Step 1

Add the disable monitor appendix to the end of /etc/ntp.conf.

Step 2

Restart the NTP service:

/etc/init.d/ntp restart 

Monitoring is now deactivated.