NTP Amplification

What is a NTP Amplification Attack?

Attack Description:

NTP, the Network Time Protocol used by machines connected to the Internet to set their clocks.

In a NTP Amplification attack, DDoS attackers take advantage of NTP flood. Attackers spoof a victim’s NTP infrastructure and use Open NTP servers, which send (MON_GETLIST) very small requests resulting in a very high-volume of NTP responses (Amplification Factor).

Since attackers spoof a victim’s NTP infrastructure, all of the reflected/amplified responses flood a victim’s NTP server, which take them offline or flood the network and take it offline as well. This attack is rarely detectable by deep packet inspection technologies because the NTP requests and responses seem to be 100% normal.


You can mitigate this attack with an on-premises DDoS protection appliance at the edge of your network in connection with an automated monitoring services to help you rapidly identify and react to NTP Amplification DDoS attacks.

Additional & Related Information: