123 - NTP

Network Time Protocol

Mode 6 vulnerability

The remote NTP server responds to Mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this via a specially crafted Mode 6 query to cause a reflected denial-of-service condition.

For remediation, recommend restricting NTP mode 6 queries to trusted hosts or disabling them if not needed, alongside implementing rate limiting and monitoring for unusual NTP traffic patterns to mitigate potential abuse.

Nmap has a script (ntp-monlist) that can query NTP servers to get information about the system and its configuration. While the ntp-monlist script is designed to check for the MONLIST feature which can be used for amplification attacks, you can use other NTP-related scripts to safely gather information similar to what Nessus reported.

To check the NTP configuration without causing a DoS, you might use the ntp-info script:

sudo nmap -sU -p 123 --script ntp-info <target-ip>

Last updated