1. Bicom Systems
  2. Solution home
  3. PBXware
  4. HOWTOs

General :: How to prevent NTP DDoS attacks

We became aware of a security issue with NTP server in our products so we advise our users to modify configuration files as soon as possible in order to avoid  the potential attacks.

CVE (Common Vulnerabilities and Exposures) website


National Vulnerability Database website


NTP is Network time protocol and it’s used to sync the time between client and server, it is a UDP protocol and it’s run on port 123. In the NTP reflection attack the attacker send a crafted packet which request a large amount of data to be sent to the host.

In this case, the attackers are taking advantage of the monlist command.  Monlist is a remote command in older version of NTP that sends the requester a list of the last 600 hosts who have connected to that server.  For attackers the monlist query is a great reconnaissance tool.  For a localized NTP server it can help to build a network profile.   However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic:

Here is a procedure that would prevent the attacker to utilize the security bug in NTP server.

If you have a SERVERware, these changes have to be made on every running instance, if you have a PBXware that is running on a dedicated server you will have to perform this procedure on each PBXware.

Login to your SERVERware/PBXware and edit /etc/ntp.conf

nano /etc/ntp.conf

insert these lines to your ntp.conf

restrict default kod nomodify notrap nopeer noquery
disable monitor

save changes and restart ntpd

/etc/init.d/ntpd stop
killall ntpd
/etc/init.d/ntpd start

That should solve the security issue with NTP server.

If you have any issues with this procedure, or not have necessary knowledge on how to perform the explained procedure please contact Bicom Systems support and our staff will be glad to help you.