Currently, NTP servers are under attack to abuse them to a "reflection attack", so we have created a short tutorial to help you detect and prevent NTP reflection attacks.
What is an NTP reflection attack?
In an NTP reflection attack, the server is forced to attack other servers on the Internet with NTP packets. This type of attack can only occur if you use an NTP time server on your server to synchronize system time.
How can I check if my server is affected by this issue?
On Debian-based OS, there is a program called "ntpdc," which is used to run the following command:
root@server:~/# ntpdc -n -c monlist 127.0.0.1
root@server:~/# ntpdc -n -c monlist 127.0.0.1 ***Server reports data not found
In this case, your server is not vulnerable!
Your Server can be attacked, If you receive statistics such as:
remote address port local address count m ver rstr avgint lstint
===============================================================================
176.31.45.66 123 82.211.0.200 8 4 4 1d0 3 9
78.47.255.100 123 82.211.0.200 8 4 4 1d0 3 13
5.9.122.148 123 82.211.0.200 8 4 4 1d0 3 15
148.251.41.82 123 82.211.0.200 3 4 4 1d0 8 22
What can I do if my server is affected?
To solve the problem, please add the following line to your /etc/ntp.conf as the last entry:
disable monitor
then with the command
/etc/init.d/ntp restart
restart the NTP service.
Then run the check again and the list should no longer be displayed.
If you have any further questions about this procedure, please do not hesitate to contact us.