LAST UPDATED: 2022-06-26
This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.
The NTP version command is a Mode 6 query for READVAR. While not as bad as the Mode 7 query for MONLIST, the queries for READVAR will normally provide around 30x amplification.
To manually test if a system is vulnerable to this, you can use the command:
- Instructions for restricting READVAR for linux hosts can be found here.
- Instructions for restricting READVAR for Cisco gear can be found here.
For more details behind the scan methodology and a daily update of global NTP Version scan statistics please visit our dedicated NTP Version scan page.
You can learn more on the report in our NTP Version Report tutorial.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
For more information on our scanning efforts, check out our Internet scanning summary page.