NTP Version Report

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.

The NTP version command is a Mode 6 query for READVAR. While not as bad as the Mode 7 query for MONLIST, the queries for READVAR will normally provide around 30x amplification.

To manually test if a system is vulnerable to this, you can use the command:

ntpq -c rv [ip]
  • Statistics for these servers can be found here.
  • Instructions for restricting READVAR for linux hosts can be found here.
  • Instructions for restricting READVAR for Cisco gear can be found here.

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the NTP response came on (UDP)
  • port
    Port that the NTP response came from
  • hostname
    Reverse DNS name of the device in question
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • version
    NTP software version and build time
  • clk_wander
    Clock frequency wander (PPM)
  • clock
    Date and time of day
  • error
    Frequency error
  • frequency
    Frequency offset (PPM) relative to hardware clock
  • jitter
    Clock jitter
  • leap
    Leap warning indicator (0-3)
  • mintc
    Minimum time constant (log2 s) (3-10)
  • noise
    "White phase" noise, aka jitter
  • offset
    Combined offset of server relative to this host
  • peer
    An identification number of the peer in use
  • phase
    Combined offset of server relative to this host
  • poll
    Poll messages sent (for association with a reference clock)
  • precision
    Precision (log2 s)
  • processor
    Hardware platform and version
  • refid
    Reference ID or kiss code
  • reftime
    Reference time
  • rootdelay
    Total roundtrip delay to the primary reference clock
  • rootdispersion
    Total dispersion to the primary reference clock
  • stability
    PPM mean frequency deviation
  • state
    The current mode of NTP operation, where 1 is symmetric active, 2 is symmetric passive, 3 is client, 4 is server, and 5 is broadcast
  • stratum
    The stratum of the peer server (1-15) — anything greater than 1 is a secondary reference
  • system
    Operating system and version
  • tai
    TAI-UTC offest (s)
  • tc
    Time constant and poll exponent (log2 s) (3-17)
  • naics
    North American Industry Classification System Code
  • sic
    Standard Industrial Classification System Code
  • sector
    Industrial sector, if known

Sample

"timestamp","ip","protocol","port","hostname","asn","geo","region","city","version","clk_wander","clock","error","frequency","jitter","leap","mintc","noise","offset","peer","phase","poll","precision","processor","refid","reftime","rootdelay","rootdispersion","stability","state","stratum","system","tai","tc","naics","sic","sector"
"2018-08-19 01:15:40","207.173.174.43","udp",123,,7385,"US","COLORADO","COLORADO SPRINGS",4,,"0xdf23433c.3a38f036",,"5.923","1.038",0,,"0.977","0.083",,,10,"-10","unknown","204.130.255.3","0xdf234192.08d623f0","53.437","70.343","0.018",4,3,"UNIX",,,0,0,"Communications"
"2018-08-19 01:15:40","87.229.213.13","udp",123,,3216,"RU","MOSKVA","MOSCOW",4,,"0xdf23433c.968b4667",,"1.188","0.977",0,,"1.020","2.432",,,10,"-10","unknown","194.67.0.206","0xdf233fc5.c4524155","59.121","71.518","0.026",4,4,"UNIX",,,0,0,
"2018-08-19 01:15:40","95.83.188.204","udp",123,"95.83.188.204.spark-ryazan.ru",47313,"RU","RYAZANSKAYA OBLAST","DYADKOVO",,,"0xDF23433C.B56921D7","0.98","57.860",,0,,,,30235,,9,,,"86.110.181.167","0xDF2342FA.7A0F89E1","48.780","32.000",,,3,"cisco",,,0,0,
"2018-08-19 01:15:40","108.160.60.145","udp",123,,17306,"US","NEBRASKA","NORFOLK",,,"0xDF23433C.261D7B0F","0.60","4.090",,0,,,,35751,,10,,,"66.185.0.244","0xDF234186.BAC78602","107.540","19.470",,,4,"cisco",,,0,0,"Communications"
"2018-08-19 01:15:40","221.183.29.98","udp",123,,9808,"CN",,"BEIJING",,"0.000","0xdf2342cc.93aa0fa5",,"5.455","0.000",3,3,,"0.000",,,,"-18","processor","INIT","0xdeccb221.532faa9e","0.000","85088.850",,,16,"/",,6,0,0,"Communications"
"2018-08-19 01:15:40","14.47.41.105","udp",123,,4766,"KR","GYEONGGLDO","SUWON","ntpd 4.1.1c-rc1@1.836 Wed Aug  8 14:37:46 KST 2012 (361)",,"0xdf23c1cc.8eac1094",,"-499.608","587.301",0,,,"3.212",,,14,"-15","mips","220.73.142.69","0xdd38f01d.efc83a96","8.794","8766.430","22.037",4,16,"Linux2.6.18_pro500-p34xx-mips2_fp_le-ubiquoss",,,518111,737415,"Communications"
"2018-08-19 01:15:40","207.173.38.241","udp",123,,7385,"US","COLORADO","FOUNTAIN",4,,"0xdf23433c.a990e10e",,"5.923","1.038",0,,"0.977","0.083",,,10,"-10","unknown","204.130.255.3","0xdf234192.08d623f0","53.437","70.343","0.018",4,3,"UNIX",,,0,0,"Communications"
"2018-08-19 01:15:40","176.74.75.254","udp",123,,34797,"GE","TBILISI","TBILISI",4,,"0xdf234517.989374bc",,"0.000","0.977",3,,"0.977","0.000",,,6,"-10","unknown","INIT","0x00000000.00000000","0.000","96691.215","0.000",0,16,"UNIX",,,0,0,
"2018-08-19 01:15:40","75.77.196.135","udp",123,"75.77.196.135.nw.nuvox.net",7029,"US","GEORGIA","ATLANTA",4,,"0xDF23433C.787DA43A",,"8.236","1.078",0,,"0.154","2.604",,,6,"-24","unknown","64.89.70.60","0xDF2341DB.192D69BF","38.046","105.614","0.008",4,3,"UNIX",,,518111,737401,"Commercial Facilities"
"2018-08-19 01:15:40","201.216.244.190","udp",123,"customer-static-201-216-244.190.iplannetworks.net",16814,"AR","BUENOS AIRES","GREGORIO DE LAFERRERE",,,"0xDF23433C.17F0211B","0.12","11.600",,0,,,,23953,,6,,,"200.61.191.25","0xDF2342FE.A0FE7AEB","2.470","0.350",,,2,"cisco",,,0,0,
"2018-08-19 01:15:40","116.38.11.182","udp",123,,17858,"KR","SEOUL TEUGBYEOLSI","SEOUL","ntpd 4.1.1c-rc1@1.836 Tue Apr 12 02:17:55 KST 2011 (471)",,"0xdf23c1cc.afab862b",,"-28.047","2286.390",0,,,"1.016",,,17,"-17","mips","180.225.21.146","0xbc17c21c.8b897204","11.058","11317.784","10.314",4,5,"Linux2.4.20_mvl31-bcm95836cpci",,,0,0,"Communications"

Our 76 Report Types