123 - NTP
Network Time Protocol
Mode 6 vulnerability
The remote NTP server responds to Mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this via a specially crafted Mode 6 query to cause a reflected denial-of-service condition.
For remediation, recommend restricting NTP mode 6 queries to trusted hosts or disabling them if not needed, alongside implementing rate limiting and monitoring for unusual NTP traffic patterns to mitigate potential abuse.
Nmap has a script (ntp-monlist) that can query NTP servers to get information about the system and its configuration. While the ntp-monlist script is designed to check for the MONLIST feature which can be used for amplification attacks, you can use other NTP-related scripts to safely gather information similar to what Nessus reported.
To check the NTP configuration without causing a DoS, you might use the ntp-info script:
Last updated