OTPulse
FeedAboutContact

NTP Reflection Attack

Act NowICS-CERT ICSA-14-051-04Nov 23, 2014
Summary

NTP versions 4.2.7p25 and earlier with MONLIST support are vulnerable to reflection-based distributed denial-of-service (DDoS) attacks. An attacker can query the MONLIST command using a spoofed source address; the NTP server responds with a large list of recently queried hosts, amplifying the attacker's traffic. This allows the attacker to flood a target network with traffic many times larger than the original query, disrupting network availability and time synchronization. The MONLIST command was historically used for monitoring and debugging but poses a significant amplification risk.

What this means
What could happen
An attacker can abuse NTP's MONLIST command to flood your network with traffic, consuming bandwidth and potentially preventing legitimate network communication. This can disrupt time synchronization across your facility's devices, causing control system misalignment or data logging issues.
Who's at risk
Water authorities and utilities running NTP time servers, particularly those with MONLIST enabled. Affects any facility relying on NTP for synchronized time across PLCs, RTUs, SCADA servers, and other control system devices. Organizations with NTP servers reachable from untrusted networks are at highest risk.
How it could be exploited
An attacker sends a single MONLIST query to your NTP server from a spoofed source IP address matching your network. The NTP server responds with a large list of recent clients, amplifying the attacker's traffic many times over and flooding your network or a target on it. No authentication is required.
Prerequisites
  • Network access to NTP port 123 (UDP)
  • NTP service with MONLIST command enabled
  • Attacker can spoof source IP addresses (true on the public internet)
Remotely exploitableNo authentication requiredHigh EPSS score (92.1%)No patch available (end-of-life product)Can be used as DDoS amplification vector
Exploitability
High exploit probability (EPSS 92.1%)
Affected products (1)
ProductAffected VersionsFix Status
NTP service NTP (with MONLIST support): <=4.2.7p25≤ 4.2.7p25No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3
WORKAROUNDDisable the MONLIST command on all NTP servers by setting 'disable MONLIST' in ntp.conf
HARDENINGRestrict NTP access via firewall rules: allow port 123 UDP only from known time sources and authorized clients, block external MONLIST queries
WORKAROUNDImplement rate limiting on NTP responses if your NTP server supports it
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade NTP service to version 4.2.8 or later, which has MONLIST disabled by default
Mitigations - no patch available
0/1
NTP service NTP (with MONLIST support): <=4.2.7p25 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGMonitor network traffic for unusual spikes in NTP responses originating from your servers
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3d278595-ac19-4482-b8ce-e2af915e74f5
NTP Reflection Attack - OTPulse