[c-nsp] NTP DDoS

SilverTip257 silvertip257 at gmail.com
Wed Feb 12 21:12:45 EST 2014

On Wed, Feb 12, 2014 at 2:36 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:

> > Something I can point customers to for testing their own set ups. ;)

What I was trying to say is that openntp project URL is something I can
point customers at and they should understand.  Some of my customers are

Sadly, a few of them try to tell me that information I give them doesn't
work.  But when they say "hey, here's my credentials, why don't you fix it
for me?" ... I come to find (yes, I'm a nice guy) that everything I sent
them was spot on (as I expected).

Copy+paste is over-rated.  o_O

> On a Linux or mac
> ntpdc -c monlist xxx.xxx.xxx.xxx

Yep.  And loopinfo and iostats commands.

nmap has a ntp-monlist script that is helpful (combined with the grep-able
output option).

I'm about due for running another ntp-monlist scan ... [when DNS
amplification attacks were real bad a few months ago, we told a customer to
disable DNS recursion ... he instead shut off bind/named for that day and
turned it back on some time later].

> If you get a reply (which will consist of a list of IP addresses that have
> sync'd with the daemon) then the server has a non optimal config. ... and
> if it's already been found by others they will all be listed. .. You might
> even see openntp project and team cymru servers listed ;)
> Alan

//  SilverTip257  //

More information about the cisco-nsp mailing list