In Febuary 2014, the Open NTP Project identified many addresses on our network that were of moderate to severe risk of participating in a NTP amplification attack. This attack queries NTP servers for large results using a fake source address. This request causes the response to go back to the faked address, resulting in a large amount of data being sent to a computer that did not request it. This effect, when used with thousands of NTP servers, directs a very large amount of traffic to a single IP to form an efficient distributed attack. The Content Delivery Network, CloudFlare, was recently the victim of an attack using this technique.

You can confirm your server is affected by querying the server from a Linux or Mac command line on a separate computer:

ntpdc -n -c monlist <server ip>

or

ntpq -c rv <server ip>

If the result to either of these commands is not “timed out, nothing received” then your server allows queries that it should not.

On servers running GNU/Linux CentOS version 5 or version 6, the problem usually can be resolved simply by restricting the types of NTP queries that are permitted by default.  This can be done in the /etc/ntp.conf file with the following:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

The NTP service will need to then be restarted for the change to take effect.  This can be done on CentOS by running as root:

/sbin/service ntpd restart

For advice on how to adjust a server to prevent NTP amplification or limit the IP ranges that can make NTP queries, or any other questions about the topics discussed in this article, please visit our Help Desk or email us. NTP consulting is covered under managed services.