Disabling NTP Monitoring on a Linux Server

For Linux Servers

In this article, we'll explain the NTP service and show you how to disable NTP monitoring on your server.

By disabling NTP monitoring, you can prevent misuse of this service for a Distributed Reflected Denial of Service (DRDoS) attack.

How NTP Monitoring Allows DRDoS Attacks

The NTP server logs all requests for time synchronization. This protocol can be retrieved externally using the NTP command monlist.

Attackers use this to generate a response with a small request, which is up to 200 times larger than the request itself. In the requesting package, the source IP is replaced by the IP of the server to be attacked. Since this function can therefore easily be misused for DRDoS attacks, NTP monitoring should be deactivated if possible.

Windows systems are not affected by this since the monlist function is not integrated in Microsoft's NTP server. Accordingly, operators of Windows servers do not need to disable NTP.

Use the following command to check whether monitoring is active on your server and whether it is vulnerable to a corresponding attack:

root@s12345678:/# ntpdc -n -c monlist 127.0.0.1
***Server reports data not found

In the example above, monitoring is already deactivated, so no further steps are necessary.

If monitoring is active, the results will look similar to below:

root@s12345678:/# ntpdc -n -c monlist 127.0.0.1
remote address port local address count m ver rstr avgint lstint
===============================================================================
78.47.xxx.x 123 87.106.132.xxx 10089 4 4 1d0 976 357
2001:a60::xxx:2 123 2001:8d8:xxx:xxxx::xx:91ef 10095 4 4 1d0 975 731
178.63.xxx.xxx 123 87.106.132.xxx 10082 4 4 1d0 976 888