Published March 12, 2014

NTP Amplification Threat Advisory

The NTP Amplification tool (NTP-AMP) exploits the Network Time Protocol (NTP) to launch massive attacks using a small number of compromised servers. This threat advisory about NTP amplification distributed denial of service (DDoS ) attacks includes an analysis of how it generates a monlist payload, along with DDoS protection and mitigation techniques and a review of two DDoS attack campaigns using the NTP amplification tool.

What You’ll Learn

The NTP Amplification threat advisory includes details and mitigation for enterprises, such as:

  • Indicators of the use of the NTP Amplification toolkit
  • Analysis of the NTP-AMP source code
  • Use of monlist as the payload
  • The SNORT rule and target mitigation using ACL entries for attack targets
  • DDoS mitigation instructions for vulnerable NTP servers
  • Statistics and payloads from two observed NTP Amplification DDoS attack campaigns

What You Need to Know

  • Ongoing cleanup efforts by the security community are resulting in a smaller number of vulnerable NTP servers every day, but the remaining vulnerable NTP servers are capable of amplification levels that make this attack type very dangerous.
  • The elimination of vulnerable NTP servers is driving malicious actors to develop new tools that enable them to produce more damaging attacks with fewer NTP servers, as demonstrated in this threat advisory.


Amplification is not a new DDoS attack method, nor is the misuse of the Network Time Protocol a new means of launching an amplification attack. Recently, however, NTP amplification attacks have become one of the most popular DDoS attack types for malicious actors as they seek to overwhelm the network resources of their targets.

Comparing DDoS attacks in February 2014 with those in January 2014, DDoS mitigation experts observed the following:

  • Total NTP amplification attacks increased 371 percent.
  • Average peak attack bandwidth increased 218 percent.
  • Average peak packets-per-second (pps) rate increased 807 percent.
  • Targeted industries included finance, gaming, e-Commerce, Internet, media, education, software-as-a-service (SaaS) and security.

This DDoS Threat Advisory presents a PLXsert analysis of a recently leaked NTP reflection tool written in the Perl scripting language and referred to as NTP-AMP.

  • This tool is capable of generating massive amounts of malicious traffic many times larger than the original request.
  • Use of NTP-AMP has been identified in multiple DDoS campaigns.
  • NTP-AMP capitalizes on amplification lists, consisting of NTP servers that are poorly configured or maintained and thus susceptible to this type of DDoS reflection attack.
  • The fact that this tool is written in a high-level scripting language has its limitations. The attacker must have elevated privileges on the host where the script is executed in order to create raw network sockets, a process implemented at the kernel layer by the operating system to communicate via the network.

In addition to the information provided here, in 2013 PLXSert released a series of distributed reflection and amplification (DrDoS) attack white papers outlining reflection/amplification attack types, including NTP attacks.

Related NTP Amplification Threat Advisory Assets

Contact Us