NTP Version Report

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.

The NTP version command is a Mode 6 query for READVAR. While not as bad as the Mode 7 query for MONLIST, the queries for READVAR will normally provide around 30x amplification.

To manually test if a system is vulnerable to this, you can use the command:

ntpq -c rv [ip]

Statistics for these servers can be found here.
Instructions for restricting READVAR for linux hosts can be found here.
Instructions for restricting READVAR for Cisco gear can be found here.

Fields

timestamp

Time that the IP was probed in UTC+0
ip

The IP address of the device in question
protocol

Protocol that the NTP response came on (UDP)
port

Port that the NTP response came from
hostname

Reverse DNS name of the device in question
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
version

NTP software version and build time
clk_wander

Clock frequency wander (PPM)
clock

Date and time of day
error

Frequency error
frequency

Frequency offset (PPM) relative to hardware clock
jitter

Clock jitter
leap

Leap warning indicator (0-3)
mintc

Minimum time constant (log2 s) (3-10)
noise

"White phase" noise, aka jitter
offset

Combined offset of server relative to this host
peer

An identification number of the peer in use
phase

Combined offset of server relative to this host
poll

Poll messages sent (for association with a reference clock)
precision

Precision (log2 s)
processor

Hardware platform and version
refid

Reference ID or kiss code
reftime

Reference time
rootdelay

Total roundtrip delay to the primary reference clock
rootdispersion

Total dispersion to the primary reference clock
stability

PPM mean frequency deviation
state

The current mode of NTP operation, where 1 is symmetric active, 2 is symmetric passive, 3 is client, 4 is server, and 5 is broadcast
stratum

The stratum of the peer server (1-15) — anything greater than 1 is a secondary reference
system

Operating system and version
tai

TAI-UTC offest (s)
tc

Time constant and poll exponent (log2 s) (3-17)
naics

North American Industry Classification System Code
sic

Standard Industrial Classification System Code
sector

Industrial sector, if known

Sample

"timestamp","ip","protocol","port","hostname","asn","geo","region","city","version","clk_wander","clock","error","frequency","jitter","leap","mintc","noise","offset","peer","phase","poll","precision","processor","refid","reftime","rootdelay","rootdispersion","stability","state","stratum","system","tai","tc","naics","sic","sector"
"2018-08-19 01:15:40","207.173.174.43","udp",123,,7385,"US","COLORADO","COLORADO SPRINGS",4,,"0xdf23433c.3a38f036",,"5.923","1.038",0,,"0.977","0.083",,,10,"-10","unknown","204.130.255.3","0xdf234192.08d623f0","53.437","70.343","0.018",4,3,"UNIX",,,0,0,"Communications"
"2018-08-19 01:15:40","87.229.213.13","udp",123,,3216,"RU","MOSKVA","MOSCOW",4,,"0xdf23433c.968b4667",,"1.188","0.977",0,,"1.020","2.432",,,10,"-10","unknown","194.67.0.206","0xdf233fc5.c4524155","59.121","71.518","0.026",4,4,"UNIX",,,0,0,
"2018-08-19 01:15:40","95.83.188.204","udp",123,"95.83.188.204.spark-ryazan.ru",47313,"RU","RYAZANSKAYA OBLAST","DYADKOVO",,,"0xDF23433C.B56921D7","0.98","57.860",,0,,,,30235,,9,,,"86.110.181.167","0xDF2342FA.7A0F89E1","48.780","32.000",,,3,"cisco",,,0,0,
"2018-08-19 01:15:40","108.160.60.145","udp",123,,17306,"US","NEBRASKA","NORFOLK",,,"0xDF23433C.261D7B0F","0.60","4.090",,0,,,,35751,,10,,,"66.185.0.244","0xDF234186.BAC78602","107.540","19.470",,,4,"cisco",,,0,0,"Communications"
"2018-08-19 01:15:40","221.183.29.98","udp",123,,9808,"CN",,"BEIJING",,"0.000","0xdf2342cc.93aa0fa5",,"5.455","0.000",3,3,,"0.000",,,,"-18","processor","INIT","0xdeccb221.532faa9e","0.000","85088.850",,,16,"/",,6,0,0,"Communications"
"2018-08-19 01:15:40","14.47.41.105","udp",123,,4766,"KR","GYEONGGLDO","SUWON","ntpd 4.1.1c-rc1@1.836 Wed Aug  8 14:37:46 KST 2012 (361)",,"0xdf23c1cc.8eac1094",,"-499.608","587.301",0,,,"3.212",,,14,"-15","mips","220.73.142.69","0xdd38f01d.efc83a96","8.794","8766.430","22.037",4,16,"Linux2.6.18_pro500-p34xx-mips2_fp_le-ubiquoss",,,518111,737415,"Communications"
"2018-08-19 01:15:40","207.173.38.241","udp",123,,7385,"US","COLORADO","FOUNTAIN",4,,"0xdf23433c.a990e10e",,"5.923","1.038",0,,"0.977","0.083",,,10,"-10","unknown","204.130.255.3","0xdf234192.08d623f0","53.437","70.343","0.018",4,3,"UNIX",,,0,0,"Communications"
"2018-08-19 01:15:40","176.74.75.254","udp",123,,34797,"GE","TBILISI","TBILISI",4,,"0xdf234517.989374bc",,"0.000","0.977",3,,"0.977","0.000",,,6,"-10","unknown","INIT","0x00000000.00000000","0.000","96691.215","0.000",0,16,"UNIX",,,0,0,
"2018-08-19 01:15:40","75.77.196.135","udp",123,"75.77.196.135.nw.nuvox.net",7029,"US","GEORGIA","ATLANTA",4,,"0xDF23433C.787DA43A",,"8.236","1.078",0,,"0.154","2.604",,,6,"-24","unknown","64.89.70.60","0xDF2341DB.192D69BF","38.046","105.614","0.008",4,3,"UNIX",,,518111,737401,"Commercial Facilities"
"2018-08-19 01:15:40","201.216.244.190","udp",123,"customer-static-201-216-244.190.iplannetworks.net",16814,"AR","BUENOS AIRES","GREGORIO DE LAFERRERE",,,"0xDF23433C.17F0211B","0.12","11.600",,0,,,,23953,,6,,,"200.61.191.25","0xDF2342FE.A0FE7AEB","2.470","0.350",,,2,"cisco",,,0,0,
"2018-08-19 01:15:40","116.38.11.182","udp",123,,17858,"KR","SEOUL TEUGBYEOLSI","SEOUL","ntpd 4.1.1c-rc1@1.836 Tue Apr 12 02:17:55 KST 2011 (471)",,"0xdf23c1cc.afab862b",,"-28.047","2286.390",0,,,"1.016",,,17,"-17","mips","180.225.21.146","0xbc17c21c.8b897204","11.058","11317.784","10.314",4,5,"Linux2.4.20_mvl31-bcm95836cpci",,,0,0,"Communications"

Our 80 Report Types

« Back to Network Reporting