By using this Help Desk you permit HonestRepair to collect your email address and the data you provide so they can provide support for your ticket.

HonestRepair > HonestRepair Help Desk > Knowledgebase

Search help:

How to prevent NTP DDoS attacks


The NTP time synchronization protocol can be abused to DDoS a target machine by forcing the machine to respond to a malicious request with a very large response. The attack is described in CVE-2015-5211 and is known as an NTP reflection attack or an NTP amplification attack. The attack abuses the "monlist" command, which can be utilized by an attacker to request a very large list of IP's from the target that is costly to prepare and send. By repeating the malicious request many times the target server can become unresponsive.

To check for a specific server's vulnerability to CVE-2015-5211 execute the following command with "TARGET" replaced with the target servers internal IP address.....

  • ntpdc -n -c monlist TARGET

The above command will result in a large list of IP addresses if the target server is vulnerable. If the request is denied or times out the server is not vulnerable.

To check if your server is vulnerable from external sources replace TARGET from the command above with the external IP address of the target server.

NOTE: Standard NTP requests utilize port 123.

If your server is vulnerable you can quickly and easily protect it by disabling the monlist command by running the following commands.....


  • sudo leafpad /etc/ntp.conf
  • Add the following to the END of the "ntp.conf" file:  disable monitor
  • sudo service ntpd restart
Was this article helpful? yes / no
Related articles Block an IP address using UFW rules
Article details
Article ID: 3
Category: Linux
Date added: 2018-08-14 00:26:05
Rating (Votes): Article rated 4.0/5.0 (4)

« Go back

Powered by Help Desk Software HESK, in partnership with SysAid Technologies