NTP Reflection Attack

Act NowICS-CERT ICSA-14-051-04Nov 23, 2014

Summary

NTP versions 4.2.7p25 and earlier with MONLIST support are vulnerable to reflection-based distributed denial-of-service (DDoS) attacks. An attacker can query the MONLIST command using a spoofed source address; the NTP server responds with a large list of recently queried hosts, amplifying the attacker's traffic. This allows the attacker to flood a target network with traffic many times larger than the original query, disrupting network availability and time synchronization. The MONLIST command was historically used for monitoring and debugging but poses a significant amplification risk.

What this means

What could happen

An attacker can abuse NTP's MONLIST command to flood your network with traffic, consuming bandwidth and potentially preventing legitimate network communication. This can disrupt time synchronization across your facility's devices, causing control system misalignment or data logging issues.

Who's at risk

Water authorities and utilities running NTP time servers, particularly those with MONLIST enabled. Affects any facility relying on NTP for synchronized time across PLCs, RTUs, SCADA servers, and other control system devices. Organizations with NTP servers reachable from untrusted networks are at highest risk.

How it could be exploited

An attacker sends a single MONLIST query to your NTP server from a spoofed source IP address matching your network. The NTP server responds with a large list of recent clients, amplifying the attacker's traffic many times over and flooding your network or a target on it. No authentication is required.

Prerequisites

Network access to NTP port 123 (UDP)
NTP service with MONLIST command enabled
Attacker can spoof source IP addresses (true on the public internet)

Remotely exploitableNo authentication requiredHigh EPSS score (92.1%)No patch available (end-of-life product)Can be used as DDoS amplification vector

Exploitability

Likely to be exploited — EPSS score 92.1%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (6 repositories)

Affected products (1)

ProductAffected VersionsFix Status

NTP service NTP (with MONLIST support): <=4.2.7p25≤ 4.2.7p25No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable the MONLIST command on all NTP servers by setting 'disable MONLIST' in ntp.conf

HARDENINGRestrict NTP access via firewall rules: allow port 123 UDP only from known time sources and authorized clients, block external MONLIST queries

WORKAROUNDImplement rate limiting on NTP responses if your NTP server supports it

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade NTP service to version 4.2.8 or later, which has MONLIST disabled by default

Mitigations - no patch available

0/1

NTP service NTP (with MONLIST support): <=4.2.7p25 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor network traffic for unusual spikes in NTP responses originating from your servers

CVEs (1)

CVE-2013-5211

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3d278595-ac19-4482-b8ce-e2af915e74f5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.