Cisco Event Response: Network Time Protocol Amplification Distributed Denial of Service Attacks

Threat Summary: February 25, 2014

This information has been produced in reference to the recent Network Time Protocol (NTP) amplification distributed denial of service (DDoS) attacks that have been observed on the Internet. Based on certain examples of customer packet captures Cisco has observed, current inbound amplification flows are showing the following characteristics:

  • UDP source port 123
  • UDP destination port 80
  • Packet size of 482 bytes

Keep in mind that the preceding characteristics were seen on a limited number of customer networks. It is expected that variations on the UDP source port, UDP destination port, and total packet size will be seen.

Event Intelligence

The following Cisco content is associated with this Event Response Page:

Cisco Security Notice: Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability

Cisco IntelliShield Alert: Network Time Foundation ntpd Service Network Traffic Amplification Issue

Cisco Security Blog Posts

Vulnerability Characteristics

The vulnerability comes from a shortcoming in RFC 5905 that allows processing of optional Mode 6 and 7 command requests by NTP servers.

In summary, the attack is based on processing NTP Mode 7 requests from NTP clients that may elicit huge responses. While the requests are small (for example, in case of Mode 7, the request is only 8 bytes long), the response can grow up to 5,500 times that size due to amplification.

Cisco Security Intelligence Operations Analysis

The attack is based on a very simple premise:

NTP servers that respond to MONLIST Mode 7 command requests will generate responses that are 5,500 times bigger in size than the requests. Paired with the ability to spoof network addresses globally, this attack allows the attacker to send a huge number of those requests toward a number of known public NTP servers and solicit a huge response toward the spoofed address of the (source) victim.

There are three key points regarding this vulnerability:

  • The server that is "open" for NTP Mode 7 requests can receive a huge number of requests and be forced to generate responses that are up to 5,500 times larger than original requests.
  • The vulnerable NTP servers are used as UDP reflectors in attacks against targeted destinations that may or may not have NTP servers or NTP clients on their networks. Regardless, these targets receive a flood of unsolicited return UDP traffic directed toward them at the destination port of the attacker's choice.
  • The network that is being used as a source (victim) in a spoofed barrage of NTP requests to such servers will find itself under a huge flow of unsolicited NTP responses.

Keep in mind that, although the characteristics of this attack use NTP packets, this series of attacks is in no way different from typical reflected DDoS amplification attacks. Networks are being sent a flood of unsolicited packets that can grow significantly in both size and speed.

MITRE/CERT-CC assigned the Common Vulnerabilities and Exposures ID CVE-2013-5211 to the vulnerability that applies to Mode 7 requests. This CERT/CC advisory is posted at

Impact on Cisco Products

Affected Cisco products are listed in the Cisco Security Notice:

Mitigation Summary


Cisco DDoS White Paper: //

CERT Vulnerability Note VU#348126:

DHS US-CERT Alert (TA14-013A): Security Notice:


This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Back to Top