Introduction

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. The NTP version command is a Mode 6 query for READVAR. While not as bad as the Mode 7 query for MONLIST, the queries for READVAR will normally provide around 30x amplification.

To manually test if a system is vulnerable to this, you can use the command: ntpq -c rv [ip]

Statistics for these servers can be found here.

Instructions for restricting READVAR for linux hosts can be found here.

Instructions for restricting READVAR for Cisco gear can be found here.

Fields

Field Description
timestamp Time that the IP was probed in UTC+0
ip The IP address of the device in question
protocol Protocol that the NTP response came on (UDP)
port Port that the NTP response came from
hostname Reverse DNS name of the device in question
asn ASN of where the device in question resides
geo Country where the device in question resides
region State / Province / Administrative region where the device in question resides
city City in which the device in question resides
version NTP software version and build time
clk_wander clock frequency wander (PPM)
clock date and time of day
error frequency error
frequency frequency offset (PPM) relative to hardware clock
jitter clock jitter
leap leap warning indicator (0-3)
mintc minimum time constant (log2 s) (3-10)
noise "white phase" noise, aka jitter
offset combined offset of server relative to this host
peer An identification number of the peer in use.
phase combined offset of server relative to this host
poll poll messages sent (for association with a reference clock)
precision precision (log2 s)
processor hardware platform and version
refid reference ID or kiss code
reftime reference time
rootdelay total roundtrip delay to the primary reference clock
rootdispersion total dispersion to the primary reference clock
stability PPM mean frequency deviation
state The current mode of NTP operation, where 1 is symmetric active, 2 is symmetric passive, 3 is client, 4 is server, and 5 is broadcast.
stratum The stratum of the peer server (1-15). Anything greater than 1 is a secondary reference
system operating system and version
tai TAI-UTC offest (s)
tc time constant and poll exponent (log2 s) (3-17)
naics North American Industry Classification System Code
sic Standard Industrial Classification System Code
sector Industrial sector, if known

Sample

"timestamp","ip","protocol","port","hostname","asn","geo","region","city","version","clk_wander","clock","error","frequency","jitter","leap","mintc","noise","offset","peer","phase","poll","precision","processor","refid","reftime","rootdelay","rootdispersion","stability","state","stratum","system","tai","tc","naics","sic","sector"
"2018-08-19 01:15:40","207.173.174.43","udp",123,,7385,"US","COLORADO","COLORADO SPRINGS",4,,"0xdf23433c.3a38f036",,"5.923","1.038",0,,"0.977","0.083",,,10,"-10","unknown","204.130.255.3","0xdf234192.08d623f0","53.437","70.343","0.018",4,3,"UNIX",,,0,0,"Communications"
"2018-08-19 01:15:40","87.229.213.13","udp",123,,3216,"RU","MOSKVA","MOSCOW",4,,"0xdf23433c.968b4667",,"1.188","0.977",0,,"1.020","2.432",,,10,"-10","unknown","194.67.0.206","0xdf233fc5.c4524155","59.121","71.518","0.026",4,4,"UNIX",,,0,0,
"2018-08-19 01:15:40","95.83.188.204","udp",123,"95.83.188.204.spark-ryazan.ru",47313,"RU","RYAZANSKAYA OBLAST","DYADKOVO",,,"0xDF23433C.B56921D7","0.98","57.860",,0,,,,30235,,9,,,"86.110.181.167","0xDF2342FA.7A0F89E1","48.780","32.000",,,3,"cisco",,,0,0,
"2018-08-19 01:15:40","108.160.60.145","udp",123,,17306,"US","NEBRASKA","NORFOLK",,,"0xDF23433C.261D7B0F","0.60","4.090",,0,,,,35751,,10,,,"66.185.0.244","0xDF234186.BAC78602","107.540","19.470",,,4,"cisco",,,0,0,"Communications"
"2018-08-19 01:15:40","221.183.29.98","udp",123,,9808,"CN",,"BEIJING",,"0.000","0xdf2342cc.93aa0fa5",,"5.455","0.000",3,3,,"0.000",,,,"-18","processor","INIT","0xdeccb221.532faa9e","0.000","85088.850",,,16,"/",,6,0,0,"Communications"
"2018-08-19 01:15:40","14.47.41.105","udp",123,,4766,"KR","GYEONGGLDO","SUWON","ntpd 4.1.1c-rc1@1.836 Wed Aug  8 14:37:46 KST 2012 (361)",,"0xdf23c1cc.8eac1094",,"-499.608","587.301",0,,,"3.212",,,14,"-15","mips","220.73.142.69","0xdd38f01d.efc83a96","8.794","8766.430","22.037",4,16,"Linux2.6.18_pro500-p34xx-mips2_fp_le-ubiquoss",,,518111,737415,"Communications"
"2018-08-19 01:15:40","207.173.38.241","udp",123,,7385,"US","COLORADO","FOUNTAIN",4,,"0xdf23433c.a990e10e",,"5.923","1.038",0,,"0.977","0.083",,,10,"-10","unknown","204.130.255.3","0xdf234192.08d623f0","53.437","70.343","0.018",4,3,"UNIX",,,0,0,"Communications"
"2018-08-19 01:15:40","176.74.75.254","udp",123,,34797,"GE","TBILISI","TBILISI",4,,"0xdf234517.989374bc",,"0.000","0.977",3,,"0.977","0.000",,,6,"-10","unknown","INIT","0x00000000.00000000","0.000","96691.215","0.000",0,16,"UNIX",,,0,0,
"2018-08-19 01:15:40","75.77.196.135","udp",123,"75.77.196.135.nw.nuvox.net",7029,"US","GEORGIA","ATLANTA",4,,"0xDF23433C.787DA43A",,"8.236","1.078",0,,"0.154","2.604",,,6,"-24","unknown","64.89.70.60","0xDF2341DB.192D69BF","38.046","105.614","0.008",4,3,"UNIX",,,518111,737401,"Commercial Facilities"
"2018-08-19 01:15:40","201.216.244.190","udp",123,"customer-static-201-216-244.190.iplannetworks.net",16814,"AR","BUENOS AIRES","GREGORIO DE LAFERRERE",,,"0xDF23433C.17F0211B","0.12","11.600",,0,,,,23953,,6,,,"200.61.191.25","0xDF2342FE.A0FE7AEB","2.470","0.350",,,2,"cisco",,,0,0,
"2018-08-19 01:15:40","116.38.11.182","udp",123,,17858,"KR","SEOUL TEUGBYEOLSI","SEOUL","ntpd 4.1.1c-rc1@1.836 Tue Apr 12 02:17:55 KST 2011 (471)",,"0xdf23c1cc.afab862b",,"-28.047","2286.390",0,,,"1.016",,,17,"-17","mips","180.225.21.146","0xbc17c21c.8b897204","11.058","11317.784","10.314",4,5,"Linux2.4.20_mvl31-bcm95836cpci",,,0,0,"Communications"

<< | Reports | >>