{
	"id": "610e6cf3-7d95-4955-b0d1-3c2738c6b441",
	"created_at": "2026-04-06T00:13:24.121042Z",
	"updated_at": "2026-04-10T03:20:23.565248Z",
	"deleted_at": null,
	"sha1_hash": "815bb0e0a1f78558778eb5b2bc604a6d7a658ad5",
	"title": "NTP amplification DDoS attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 201920,
	"plain_text": "NTP amplification DDoS attack\r\nArchived: 2026-04-05 18:20:37 UTC\r\nWhat is a NTP amplification attack?\r\nAn NTP amplification attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which\r\nan attacker exploits a Network Time Protocol (NTP) server functionality in order to overwhelm a targeted network\r\nor server with an amplified amount of UDP traffic, rendering the target and its surrounding infrastructure\r\ninaccessible to regular traffic.\r\nHow does a NTP amplification attack work?\r\nAll amplification attacks exploit a disparity in bandwidth cost between an attacker and the targeted web resource.\r\nWhen the disparity in cost is magnified across many requests, the resulting volume of traffic can disrupt network\r\ninfrastructure. By sending small queries that result in large responses, the malicious user is able to get more from\r\nless. When multiplying this magnification by having each bot in a botnet make similar requests, the attacker is\r\nboth obfuscated from detection and reaping the benefits of greatly increased attack traffic.\r\nDNS flood attacks differ from DNS amplification attacks. Unlike DNS floods, DNS amplification attacks reflect\r\nand amplify traffic off unsecured DNS servers in order to hide the origin of the attack and increase its\r\neffectiveness. DNS amplification attacks use devices with smaller bandwidth connections to make numerous\r\nrequests to unsecured DNS servers. The devices make many small requests for very large DNS records, but when\r\nmaking the requests, the attacker forges the return address to be that of the intended victim. The amplification\r\nallows the attacker to take out larger targets with only limited attack resources.\r\nNTP amplification, much like DNS amplification, can be thought of in the context of a malicious teenager calling\r\na restaurant and saying “I’ll have one of everything, please call me back and tell me my whole order.” When the\r\nrestaurant asks for a callback number, the number given is the targeted victim’s phone number. The target then\r\nreceives a call from the restaurant with a lot of information that they didn’t request.\r\nThe Network Time Protocol is designed to allow internet connected devices to synchronize their internal clocks,\r\nand serves an important function in internet architecture. By exploiting the monlist command enabled on some\r\nNTP servers, an attacker is able to multiply their initial request traffic, resulting in a large response. This command\r\nis enabled by default on older devices, and responds with the last 600 source IP addresses of requests which have\r\nbeen made to the NTP server. The monlist request from a server with 600 addresses in its memory will be 206\r\ntimes larger than the initial request. This means that an attacker with 1 GB of internet traffic can deliver a 200+\r\ngigabyte attack - a massive increase in the resulting attack traffic.\r\nAn NTP amplification attack can be broken down into four steps:\r\n1. The attacker uses a botnet to send UDP packets with spoofed IP addresses to a NTP server which has its\r\nmonlist command enabled. The spoofed IP address on each packet points to the real IP address of the\r\nhttps://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/\r\nPage 1 of 3\n\nvictim.\r\n2. Each UDP packet makes a request to the NTP server using its monlist command, resulting in a large\r\nresponse.\r\n3. The server then responds to the spoofed address with the resulting data.\r\n4. The IP address of the target receives the response and the surrounding network infrastructure becomes\r\noverwhelmed with the deluge of traffic, resulting in a denial-of-service.\r\nAs a result of the attack traffic looking like legitimate traffic coming from valid servers, mitigating this sort of\r\nattack traffic without blocking real NTP servers from legitimate activity is difficult. Because UDP packets do not\r\nrequire a handshake, the NTP server will send large responses to the targeted server without verifying that the\r\nrequest is authentic. These facts coupled with a built-in command, which by default sends a large response, makes\r\nNTP servers an excellent reflection source for DDoS amplification attacks.\r\nHow is a NTP amplification attack mitigated?\r\nFor an individual or company running a website or service, mitigation options are limited. This comes from the\r\nfact that the individual’s server, while it might be the target, is not where the main effect of a volumetric attack is\r\nfelt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The\r\nInternet Service Provider (ISP) or other upstream infrastructure providers may not be able to handle the incoming\r\ntraffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP\r\naddress, protecting itself and taking the target’s site off-line. Mitigation strategies, aside from offsite protective\r\nservices like Cloudflare DDoS protection, are mostly preventative internet infrastructure solutions.\r\nhttps://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/\r\nPage 2 of 3\n\nDisable monlist - reduce the number of NTP servers which support the monlist command.\r\nA simple solution to patching the monlist vulnerability is to disable the command. All version of the NTP software\r\nprior to version 4.2.7 are vulnerable by default. By upgrading a NTP server to 4.2.7 or above, the command is\r\ndisabled, patching the vulnerability. If upgrading is not possible, following the US-CERT instructions will allow a\r\nserver’s admin to make the necessary changes.\r\nSource IP verification – stop spoofed packets leaving the network.\r\nBecause the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the\r\nvictim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for\r\ninternet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent\r\nfrom inside the network with a source address that makes it appear like it originated outside the network, it’s\r\nlikely a spoofed packet and can be dropped. Cloudflare highly recommends that all providers implement ingress\r\nfiltering, and at times will reach out to ISPs who are unknowingly taking part in DDoS attacks (in violation of\r\nBCP38) and help them realize their vulnerability.\r\nThe combination of disabling monlist on NTP servers and implementing ingress filtering on networks which\r\npresently allow IP spoofing is an effective way to stop this type of attack before it reaches its intended network.\r\nHow does Cloudflare mitigate NTP amplification attacks?\r\nWith a properly configured firewall and sufficient network capacity (which isn't always easy to come by unless\r\nyou are the size of Cloudflare), it's trivial to block reflection attacks such as NTP amplification attacks. Although\r\nthe attack will target a single IP address, our Anycast network will scatter all attack traffic to the point where it is\r\nno longer disruptive. Cloudflare is able to use our advantage of scale to distribute the weight of the attack across\r\nmany Data Centers, balancing the load so that service is never interrupted and the attack never overwhelms the\r\ntargeted server’s infrastructure. During a recent six-month window, our DDoS mitigation system \"Gatebot\"\r\ndetected 6,329 simple reflection attacks (that's one every 40 minutes), and the network successfully mitigated all\r\nof them. Learn more about Cloudflare's advanced DDoS Protection.\r\nSource: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/\r\nhttps://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/"
	],
	"report_names": [
		"ntp-amplification-ddos-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/815bb0e0a1f78558778eb5b2bc604a6d7a658ad5.pdf",
		"text": "https://archive.orkl.eu/815bb0e0a1f78558778eb5b2bc604a6d7a658ad5.txt",
		"img": "https://archive.orkl.eu/815bb0e0a1f78558778eb5b2bc604a6d7a658ad5.jpg"
	}
}