Network Time Protocol keeps the internet's clocks synchronized. Its MONLIST command — intended for administrators to see which servers recently queried the NTP daemon — returns up to 600 IP addresses per request. A 234-byte request produces up to 48KB of response: a 556x amplification ratio.
The Attack Pattern
- Attacker sends MONLIST requests to thousands of NTP servers, spoofing the victim's source IP.
- Each server returns its connection list directly to the victim.
- Attack traffic is indistinguishable from legitimate NTP server responses.
- Cloudflare blocked a 400Gbps NTP amplification attack in 2014 — this attack vector is not theoretical.
The Fix for NTP Server Operators
Upgrade NTP to version 4.2.7p26 or later, which disables MONLIST by default. If you cannot upgrade, explicitly add 'noquery' to your ntp.conf restrict lines. If you're not running an NTP server intentionally, firewall UDP/123 from the public internet.
Protection at the Scrubbing Layer
Akarguard's reverse proxy absorbs NTP amplification floods before they reach your origin. Traffic from known NTP amplifier source ports is rate-limited at ingress. Even a multi-hundred-gigabit flood cannot reach your infrastructure because it never gets past the scrubbing layer.