For Linux Servers

In this article, we'll explain the NTP service and show you how to disable NTP monitoring on your server.

By disabling NTP monitoring, you can prevent misuse of this service for a Distributed Reflected Denial of Service (DRDoS) attack.

What is NTP?

NTP (Network Time Protocol) is a service on UDP port 123 that is responsible for time synchronization between a client and server.

How NTP Monitoring Allows DRDoS Attacks

The NTP server logs all requests for time synchronization. This protocol can be retrieved externally using the NTP command monlist.


Attackers use this to generate a response with a small request, which is up to 200 times larger than the request itself. In the requesting package, the source IP is replaced by the IP of the server to be attacked. Since this function can therefore easily be misused for DRDoS attacks, NTP monitoring should be deactivated if possible.


Windows systems are not affected by this since the monlist function is not integrated in Microsoft's NTP server. Accordingly, operators of Windows servers do not need to disable NTP.

Use the following command to check whether monitoring is active on your server and whether it is vulnerable to a corresponding attack:

root@s12345678:/# ntpdc -n -c monlist
***Server reports data not found

In the example above, monitoring is already deactivated, so no further steps are necessary.

If monitoring is active, the results will look similar to below:

root@s12345678:/# ntpdc -n -c monlist
remote address port local address count m ver rstr avgint lstint
=============================================================================== 123 10089 4 4 1d0 976 357
2001:a60::xxx:2 123 2001:8d8:xxx:xxxx::xx:91ef 10095 4 4 1d0 975 731 123 10082 4 4 1d0 976 888

Disabling NTP Monitoring

To prevent your server from being misused for these types of attacks, you should disable NTP monitoring by following these steps:

  • Add the disable monitor appendix to the end of /etc/ntp.conf.
  • Restart the NTP service:
/etc/init.d/ntp restart 

NTP monitoring is now successfully deactivated.