Security experts have recently warned that cybercriminals are increasingly abusing the Network Time Protocol (NTP) for distribute denial-of-service (DDOS) attacks. Now, even US-CERT has issued a warning regarding NTP amplification attacks.
Such attacks usually rely on the “monlist” command which enables the attackers to send large amounts of traffic to a specified IP address by sending a small request to the vulnerable NTP server.
The easiest way for organizations to ensure that their systems are not abused for such attacks is to upgrade the NTP to the latest version (4.2.7), in which the “monlist” command is disabled.
In case this is not an option, the functionality can be disabled on public-facing NTP servers by adding the “noquery” directive to the “restrict default” line in the ntp.conf file. Here is an example on how the line should look:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery