[ntp:security] monlist reflective DDoS

Christian Rossow christian.rossow at gmail.com
Wed Aug 7 22:15:30 UTC 2013

Hi guys,

I'm currently writing up a conference article about reflective DDoS
attacks. As part of my research, I found that the ntpd "monlist" command
can be abused with 8-byte-wide requests and results in responses of up
44000 bytes. An attacker spoofing source IP addresses can thus add
severe load to a victim. Among all implementations and protocols that I
analyzed, this is by far the worst DRDoS scenario.

Have you heard of any DRDoS attacks likes this?

I scanned a subset of the IPv4 space and estimate that approximately
1,500,000 NTP servers are vulnerable to this kind of attack.

Probably I'm not the first one pointing this out to you and I was
wondering about your next steps. Solutions would be, e.g., to add
session handling or to disable monlist. In ntpd v4.2.7p368 I saw that
the mon_getlist function is only ACKing requests - is this how you will
fix this issue?

Amplifying traffic by >5000x will allow attackers to raise the current
DNS-based DRDoS attack bandwidth by an order of magnitude, i.e., easily
to Tbit/s attacks. Have you thought of ways how to communicate the
update to the community?

Thanks a lot for sharing your insights!


More information about the security mailing list