Disabling NTP Monitoring on a Linux Server
Please use the “Print” function at the bottom of the page to create a PDF.
For Linux Servers
In this article, we'll explain the NTP service and show you how to disable NTP monitoring on your server.
By disabling NTP monitoring, you can prevent misuse of this service for a Distributed Reflected Denial of Service (DRDoS) attack.
What is NTP?
NTP (Network Time Protocol) is a service on UDP port 123 that is responsible for time synchronization between a client and server.
How NTP Monitoring Allows DRDoS Attacks
The NTP server logs all requests for time synchronization. This protocol can be retrieved externally using the NTP command monlist.
Attackers use this to generate a response with a small request, which is up to 200 times larger than the request itself. In the requesting package, the source IP is replaced by the IP of the server to be attacked. Since this function can therefore easily be misused for DRDoS attacks, NTP monitoring should be deactivated if possible.
Windows systems are not affected by this since the monlist function is not integrated in Microsoft's NTP server. Accordingly, operators of Windows servers do not need to disable NTP.
Use the following command to check whether monitoring is active on your server and whether it is vulnerable to a corresponding attack:
root@s12345678:/# ntpdc -n -c monlist 127.0.0.1
***Server reports data not found
In the example above, monitoring is already deactivated, so no further steps are necessary.
If monitoring is active, the results will look similar to below:
root@s12345678:/# ntpdc -n -c monlist 127.0.0.1
remote address port local address count m ver rstr avgint lstint
===============================================================================
78.47.xxx.x 123 87.106.132.xxx 10089 4 4 1d0 976 357
2001:a60::xxx:2 123 2001:8d8:xxx:xxxx::xx:91ef 10095 4 4 1d0 975 731
178.63.xxx.xxx 123 87.106.132.xxx 10082 4 4 1d0 976 888
Disabling NTP Monitoring
To prevent your server from being misused for these types of attacks, you should disable NTP monitoring by following these steps:
- Add the disable monitor appendix to the end of /etc/ntp.conf.
- Restart the NTP service:
/etc/init.d/ntp restart
NTP monitoring is now successfully deactivated.