Poster: The Curious Case of NTP Monlist

Teemu Rytilahti, Thorsten Holz

1st IEEE European Symposium on Security and Privacy (Euro S&P 2016), Saarbrücken, Germany


While not a new threat, reflective amplification DDoS attacks exploiting vulnerable network services are still very prevalent despite the ongoing efforts to get them fixed.

In this paper, we demonstrate how the very same feature used for NTP-based attacks can be used to form a global picture of ongoing attacks on the Internet. To this end, we first scanned the Internet to find vulnerable NTP servers, and subsequently requested their client lists hourly for a week. Our initial results suggest that only a fraction of all vulnerable services are currently suitable for attacks as well as for attack tracking. Furthermore, we show that there are many known vulnerable hosts which have remained unused due to their small response sizes, and argue that they may be abused for future attacks.