DDoS / Amplification Attack using ntpdc monlist command

In December 2013 / January 2014, a vulnerability with the NTP daemon was documented in several databases of common vulnerabilties and exposures (such as CVE-2013-5211).

The monlist feature of NTP can be exploited as a distributed denial-of-service attack. Monlist can be used as a query issued by the ntpdc tool list. The NTP server responds to the query with the last 600 IP addresses that connected to it. If the queries source address is spoofed, an attacker is able to amplify the volume of traffic directed at a victim because the size of the response is typically considerably larger than the request. The standard recommended solution is to disable queries or disable monitor within the NTP server (NTPd version 4.2.7p26 replaces the monlist feature with the safe mrunlist function). Spectracom NetClock and SecureSync NTP servers are preconfigured for security. By default, NTP queries are not allowed unless otherwise configured through the interface or via expert mode. We recommend you check the configuration of these products to verify queries have not been enabled, or if they have, that you have other network security policies to minimize the risk of an attack.