Disable NTP Monitoring
The text on this page was translated by translation software. A revised version from our editors will be available soon.
For server with Linux
In this article you will learn how to disable NTP monitoring on your server.
By disabling NTP monitoring, you can prevent misuse of this service for a Distributed Reflected Denial of Service (DRDoS) attack.
What is NTP?
"Network Time Protocol" is a service on UDP port 123 which is responsible for time synchronization between client and server.
NTP monitoring favors DRDoS attacks
The NTP server logs all requests for time synchronization. This protocol can be retrieved externally using the NTP command monlist.
Attackers use this to generate a response with a small request. This is up to 200 times larger than the request itself. In the requesting package, the source IP is replaced by the IP of the server to be attacked. Since this function can therefore easily be misused for DRDoS attacks, NTP monitoring should be deactivated if possible.
Windows systems are not affected by this, since the "monlist" function is not integrated in Microsoft's NTP server; operators of a Windows server therefore do not need to become active here.
To check whether NTP monitoring is active
Use the following command to check whether monitoring is active on your server and whether it is therefore vulnerable to a corresponding attack:
root@s12345678:/# ntpdc -n -c monlist 127.0.0.1 ***Server reports data not found
In the example above, monitoring is already deactivated, i.e. no further steps would be necessary here.
If monitoring is active, the result is something like this:
root@s12345678:/# ntpdc -n -c monlist 127.0.0.1 remote address port local address count m ver rstr avgint lstint =============================================================================== 78.47.xxx.x 123 87.106.132.xxx 10089 4 4 1d0 976 357 2001:a60::xxx:2 123 2001:8d8:xxx:xxxx::xx:91ef 10095 4 4 1d0 975 731 178.63.xxx.xxx 123 87.106.132.xxx 10082 4 4 1d0 976 888
To prevent your server from being abused for these types of attacks, you should disable NTP monitoring.
To disable NTP monitoring
Add the disable monitor appendix to the end of /etc/ntp.conf.
Restart the NTP service:
Monitoring is now deactivated.