What is an 'Open NTP Server'?

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use.

Why would this be bad?

Running an open (UDP) service is not bad on its own and it is mostly a required dependancy when installing a system. Unfortunately, hackers have also found this feature useful in performing a special type of DDoS attack called a 'Amplification Attack'.

The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.

That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet "from" a forged source IP address and have the server (or servers) send large replies to the victim.

Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet.

Recommended action

In most cases the computer has installed a NTP service as an dependancy as timekeeping is needed on that computer. However its only required to do local timekeeping, thus the added 'external access' to this service is unneeded. In such cases we recommend either changing the configuration of your NTP service or to firewall port 123 for external hosts.

If you are running a NTP Server for multiple computers, then consider to limit access to the required group of computer or implement safegaurds like ... to prevent a DNS Amplification Attack.

Tips to resolve this matter

UNIX/Linux ntpd

The following configuration is for a UNIX/Linux machine to act as simply an NTP client and never to allow NTP queries to it except from the loopback address:

# by default act only as a basic NTP client
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
# allow NTP messages from the loopback address, useful for debugging
restrict 127.0.0.1
restrict ::1
# server(s) we time sync to
server 192.0.2.1
server 2001:DB8::1
server time.example.net

You can use your standard host firewall filtering capabilities to limit who the NTP process talks to. If you're using Linux and the host is acting as an NTP client only, the following iptables rules could be adapted to shield your NTP listener from unwanted remote hosts.

-A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT

Authentication with the reference NTP software on UNIX can be done using symmetric key encryption, much like in Cisco IOS and Juniper JUNOS, using MD5. However, a public key-based approach called 'AutoKey' is also available, which is generally be considered to be even more secure. For more information about these options, see the NTP authentication options page and the Configuring Autokey documentation.

Getting more information

Examples in securing a NTP service Amplification Hell: Revisiting Network Protocols for DDoS Abuse