Free Security Tool

NTP Amplification Vulnerability Scanner

Check if your NTP server supports the monlist command, which enables amplification attacks with a devastating 556x factor. Enter your server IP to get an educational risk assessment.

556x

Amplification Factor

400+

Gbps Attacks Recorded

UDP 123

Target Port

NTP Server IP Address

How It Works

The NTP Monlist Vulnerability

CVE-2013-5211 - The monlist command returns a list of the last 600 clients that connected to the NTP server.

The attacker sends a tiny monlist request (just 8 bytes in the NTP private mode 7 protocol) with a spoofed source IP. The NTP server responds with up to 100 packets containing its client list - potentially 4,460 bytes of response data.

This creates an amplification factor of approximately 556x, making NTP one of the most potent amplification vectors ever discovered. A single server can generate 1+ Gbps of attack traffic.

Unlike DNS amplification (28-54x), NTP monlist amplification is so extreme that even a small number of vulnerable servers can create massive attacks. In 2014, this technique was used to launch a 400 Gbps attack against CloudFlare.

NTP Monlist Attack Flow

Attackermonlist request (8 bytes, spoofed IP)

NTP Server100 response packets (~4,460 bytes)

Victim556x amplified flood

Request: 8 bytesResponse: ~4,460 bytes

Test Your Server

Commands to Check NTP Vulnerability

# Test for monlist support (the primary vulnerability)

ntpdc -n -c monlist YOUR_SERVER_IP

# If this returns a list of IPs, your server is VULNERABLE

# If you get "timed out" or "***Server reports data not found", you're safe

# Alternative test using ntpq

ntpq -c rv YOUR_SERVER_IP

# Check the version - anything below 4.2.7p26 may be vulnerable

# Check NTP version

ntpq -c "rv 0 version" YOUR_SERVER_IP

# Scan with nmap

nmap -sU -p 123 --script ntp-monlist YOUR_SERVER_IP

Historical Record

Notable NTP Amplification Attacks

Year	Target	Peak Size	Details
2014	CloudFlare	400 Gbps	Largest NTP amplification attack at the time, used ~4,529 NTP servers
2014	OVH	350 Gbps	Sustained attack leveraging European NTP servers
2014	US-CERT Advisory	N/A	TA14-013A issued warning about widespread NTP monlist abuse
2013	Various Gaming	100+ Gbps	First major wave of NTP amplification attacks targeting gaming infrastructure
2016	Dyn	1.2 Tbps	Multi-vector including NTP amplification component (primarily Mirai botnet)

Remediation

How to Secure Your NTP Server

Upgrade NTP to version 4.2.7p26 or later

Monlist was removed in ntpd 4.2.7p26. Upgrading is the simplest and most effective fix. On Ubuntu/Debian: apt update && apt upgrade ntp.

Disable monlist in ntp.conf

If you can't upgrade immediately, add disable monitor to /etc/ntp.conf and restart NTP. This disables the monlist command while keeping time synchronization working.

# Add to /etc/ntp.conf

disable monitor

# Restart NTP

systemctl restart ntp

Restrict NTP access

Add restrict lines to limit who can query your NTP server. Use noquery to prevent management queries while still allowing time sync.

# Add to /etc/ntp.conf

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1

restrict ::1

Firewall UDP port 123

If your NTP server only needs to serve your internal network, block external access to UDP port 123 entirely.

iptables -A INPUT -p udp --dport 123 -s YOUR_NETWORK/24 -j ACCEPT

iptables -A INPUT -p udp --dport 123 -j DROP

Switch to chrony

Consider replacing ntpd with chrony, which is the default on modern RHEL/CentOS. Chrony does not support monlist and has a smaller attack surface. Install with apt install chrony or yum install chrony.

Export your results