MEDIUM: NTP Monitor Report

DESCRIPTION LAST UPDATED: 2023-12-18

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.

The NTP monitor command is a Mode 7 query for MON_GETLIST_1. To manually test if a system is vulnerable to this, you can use the command:

ntpdc -n -c monlist [ip]

You can learn more on the report in our NTP Monitor Report tutorial.

You can track latest NTP Monitor exposure on the Dashboard.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

Filename(s): scan_ntpmonitor, scan6_ntpmonitor

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the NTP response came on (UDP)
  • port
    Port that the NTP response came from
  • hostname
    Reverse DNS name of the device in question
  • packets
    The total number of packets received from the device in question
  • response_size
    The total amount of data (in bytes) received from the device in question
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the IP belongs to
  • amplification
    Amplification factor (This amplification is is based solely on the payload size sent and payload size received)

Sample

"timestamp","severity","ip","protocol","port","hostname","packets","response_size","asn","geo","region","city","naics","hostname_source","sector","amplification"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,123,node01.example.com,100,44000,64512,ZZ,Region,City,0,,,3666.67
"2010-02-10 00:00:01",medium,192.168.0.2,udp,123,node02.example.com,100,44000,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service",3666.67
"2010-02-10 00:00:02",medium,192.168.0.3,udp,123,node03.example.com,1,224,64512,ZZ,Region,City,0,ptr,,18.67

Our 132 Report Types