- Advisory services
- Consultations
- Network and technology policies
- Network and technology service docs
- Using Jisc community
- Network and technology service docs
- Domain name registration
- How to sign up
- Janet Support Manual
- Janet CSIRT
- Back-up services
- eduroam
- Backup Web Hosting
- Certificate Service
- Connection timeline
- Eligibility
- Janet 3G Buyer's Guide
- Janet 3G eduroam interoperablity authentication methods
- Janet Mail Services
- Janet Network Charges
- Janet Reach
- Janet Videoconferencing Feedback results
- Primary connections
- Supporting Business Continuity
- Business and Community Engagement (BCE) using Janet
- Cost
- Interconnect connections
- Connecting student accommodation
- Customer-owned routing equipment
- Obtaining a Janet IP Address Range
- Terms for the Provision of the Janet Service
- Upgrading your existing bandwidth and Janet router
- Fault reporting
- IP address assignment
- Janet Aurora
- Janet Netsight
- Janet txt
- Routers
- Network set-up
- Guest access
- Network time service
- Training
- Contact
- Primary Nameserver Service
- Secondary Nameserver Service
- Vscene
- Janet CSIRT
- About CSIRT
- Technical advice
- Reporting abuse
- Security advice
- Technical advice
- "Fake" colleges
- Blocking LAN service ports
- DNS Resolver configuration
- Dealing with worms or viruses
- Guidelines for Handling Illegal Material
- How to block or sinkhole domains in BIND
- How to block or sinkhole domains in Windows Server 2008
- Investigating SSH port scans
- Investigating a Denial of Service attack
- Janet CSIRT use of NetFlow data
- Janet Network Security Incident Classification Scheme
- Penetration testing
- Securing networked computers
- Seven steps to secure ntp servers from DDoS attacks
- Spam bounces considered harmful
Seven steps to secure ntp servers from DDoS attacks
Download as PDFNetwork time protocol (ntp) servers are regularly being used to reflect and amplify spoofed UDP packets towards the target of a DDoS attack. Attacks are growing in size and frequency and sometimes even cause issues for the organisations hosting the reflectors. Servers offering the 'monlist' command are particularly troublesome and can provide a huge amplification affect.
Securing ntp servers on your network not only stops you from becoming involved in an attack on another network, but also saves you from the costs and interruptions to service that the attack may cause on your own infrastructure.
- To locate any ntp servers on your networks that respond to the monlist command. http://openntpproject.org/ surveys the Internet for ntp servers and is a useful starting point. A script for nmap may give you a more thorough look at the current state of your network. An individual server can be tested with the following commands:
$ ntpdc -n -c monlist <a.b.c.d>
or
$ ntpq -c rv <a.b.c.d>
- Minimise your exposure by removing or disable any unnecessary ntp servers that you find.
- If any of the remaining ntp servers can be isolated from the Internet by a firewall, do so. You might be considering blocking all ntp traffic but this can have an impact on legitimate services. Do so carefully.
- If possible upgrade the software to NTP-4.2.7p26 or later. This version removes the monlist command.
- In older versions you can add 'disable monitor' to your ntp.conf configuration file.
- Team Cymru provide secure configuration templates for Cisco IOS, Juniper JUNOS and ntpd.
- For other systems contact your vendor for advice and support.
If you need any further advice on how to secure your ntp configuration please contact Janet CSIRT.
