NTP server misuse and abuse

NTP server misuse and abuse covers a number of practices which cause damage or degradation to a Network Time Protocol (NTP) server, ranging from flooding it with traffic (effectively a DDoS attack) or violating the server's access policy or the NTP rules of engagement. One incident was branded NTP vandalism in an open letter from Poul-Henning Kamp to the router manufacturer D-Link in 2006.^[1] This term has later been extended by others to retroactively include other incidents. There is, however, no evidence that any of these problems are deliberate vandalism. They are more usually caused by shortsighted or poorly chosen default configurations.

A deliberate form of NTP server abuse came to note at the end of 2013, when NTP servers were used as part of amplification denial-of-service attacks. Some NTP servers would respond to a single "monlist" UDP request packet, with packets describing up to 600 associations. By using a request with a spoofed IP address attackers could direct an amplified stream of packets at a network. This resulted in one of the largest distributed denial-of-service attacks known at the time. ^[2]

^ Kamp, Poul-Henning (2006-04-08). "Open Letter to D-Link about their NTP vandalism". FreeBSD. Archived from the original on 2006-04-08. Retrieved 2006-04-08.
^ Gallagher, Sean (2014-02-11). "Biggest DDoS ever aimed at Cloudflare's content delivery network". Ars Technica. Archived from the original on 2014-03-07. Retrieved 2014-03-08.

[1] Kamp, Poul-Henning (2006-04-08). "Open Letter to D-Link about their NTP vandalism". FreeBSD. Archived from the original on 2006-04-08. Retrieved 2006-04-08.

[2] Gallagher, Sean (2014-02-11). "Biggest DDoS ever aimed at Cloudflare's content delivery network". Ars Technica. Archived from the original on 2014-03-07. Retrieved 2014-03-08.

[1]

[2]