What is the NTP reflection-amplification attack?

Overview

An NTP reflection-amplification attack is a DDoSDistributed Denial of Service attack where the attacker spoofs the victim's IP address and exploits an open NTP server to direct amplified UDPUser Datagram Protocol traffic to the victim.

Note: To read more about DDoS attack, click here.

Network time protocol (NTP)

NTP is the standard, one of the oldest, network protocols used for clock synchronization by the devices connected to the Internet. It is also an important aspect of Internet architecture.

Older versions of NTP allow the administration to generate a query for the traffic count on the server. The monlist command is used for this purpose, which sends back a list of 600 recent hosts that were connected to the NTP server.

Working of an NTP attack

Here is how the NTP reflection-amplification attack works:

  • An attacker spoofs the IP address of the victim and repeatedly sends UDP packets to the NTP server itself or using a botnet.
  • Each packet requests a response from the NTP server using the monlist command.
  • NTP server responds to the packets on the spoofed address of the victim, who receives amplified traffic.
  • This degrades the services and prevents the victim from serving legitimate traffic. In addition, it consumes a lot of bandwidth of the victim.
NTP reflection-amplification attack

Spoofing the victim's IP address depicts the reflection part of the attack. On the other hand, generating a massive response from a small request represents the amplification part of the attack.

Note: NTP attacks can have an amplification ratioIt is the ratio between the request and the response size. between 20:1 to 200:1 or more, depicting that a 1 Gbps request can generate up to 200 Gbps or more traffic.

Prevention

Mitigating reflection DDoS attacks is difficult because UDP packets do not require a handshake protocol, hence NTP server responds to each request received without verifying it.

However, some of the following measures can be taken:

  • A combination of over-provisioning and traffic filtering can help.
  • Take the site offline for a while.
  • Implement ingress filtering that ensures the incoming packets actually belong to the network that they claim to originate from.
  • Disable the monlist command by updating your NTP server to a version of 4.2.7 or more.

Note: To read more about reflection and amplification attacks, click here.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved