NTP Amplification Source
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
NTP amplification is a reflective distributed denial-of-service (DDoS) technique in which an attacker sends small, spoofed NTP requests (typically the monlist command) to publicly accessible NTP servers, causing them to return responses up to 556 times larger to the spoofed victim IP. An IP flagged as an NTP amplification source has been observed sending these forged monlist queries, actively participating in DDoS amplification campaigns. Amplification factors of 200–700x make this one of the most bandwidth-efficient attack vectors.
High Severity
This threat is classified as high severity. Prioritize mitigation.
🔍Indicators
- High volume of outbound UDP/123 traffic to diverse NTP server IPs
- Source port always 123 (NTP) with short, uniform packet sizes (~48 bytes)
- Spoofed source addresses pointing to a victim IP (observed from network vantage points)
- Monlist responses (
REQ_MON_GETLIST,REQ_MON_GETLIST_1) received by unrelated third-party hosts - Traffic bursts correlated with known DDoS events reported in threat intelligence feeds
- Absence of legitimate NTP synchronization traffic patterns (no client-server time exchanges)
🛡Detection Methods
tcpdump — capture NTP monlist traffic
# Monitor for monlist requests (mode 7, opcode 42/45)
sudo tcpdump -i eth0 -n 'udp port 123' -X | grep -A2 "monlist"
# Capture raw NTP to file for analysis
sudo tcpdump -i eth0 -w ntp_capture.pcap 'udp port 123'
iptables — detect and log NTP amplification sources
# Log and rate-limit inbound NTP monlist responses
iptables -A INPUT -p udp --sport 123 -m length --length 400:65535 \
-m limit --limit 10/min -j LOG --log-prefix "NTP-AMP: "
iptables -A INPUT -p udp --sport 123 -m length --length 400:65535 \
-j DROP
Snort rule
alert udp any 123 -> any any \
(msg:"NTP Monlist Response — Potential Amplification"; \
dsize:>400; \
content:"|00 06 2a|"; offset:0; depth:3; \
classtype:attempted-dos; sid:9100019; rev:1;)
Check if your NTP server is vulnerable
ntpdc -c monlist <your-ntp-server-ip>
# If it returns a list, the server is vulnerable and must be patched
✅Mitigation
- Disable NTP monlist on all NTP servers you operate:
bash # /etc/ntp.conf disable monitorThen restart:sudo systemctl restart ntp - Block inbound UDP/123 at your border firewall if you do not operate a public NTP server.
- Implement BCP38 / uRPF (Unicast Reverse Path Forwarding) on your network edge to prevent IP spoofing originating from your ASN.
- Rate-limit NTP responses using iptables or router ACLs to cap outbound NTP traffic per source.
- Upgrade NTP software to ntpd 4.2.7p26+ or use chrony, which does not support monlist.
- Subscribe to DDoS threat intelligence feeds (e.g., Shadowserver, CISA advisories) to identify if your IPs are being reported as reflectors.
- Contact your upstream ISP if your IP is flagged — they can assist with traffic scrubbing and spoofing controls at the BGP level.
📋Real-World Examples
In February 2014, Cloudflare reported a then-record DDoS attack peaking at 400 Gbps directed at a customer, driven almost entirely by NTP amplification using misconfigured servers running vulnerable ntpd versions. The same month, a French hosting provider suffered a 480 Gbps NTP amplification attack — the largest recorded at that time — overwhelming multiple upstream transit links simultaneously.