parallel_ntp_scan: A parallel NTP scanner
parallel_ntp_scan will scan a network for NTP servers. For each
server found, it examines which queries it responds to and rates
its risk of being implicated in an amplification DDoS attack.
parallel_ntp_scan, you may quickly identify NTP services which
have not been hardened
NTP-based amplification attacks.
On most networks, the majority of IP addresses will not respond to NTP
queries. Thus, it will take a long time to scan a network, if done sequentially.
This is why it's important that
parallel_ntp_scan uses threads to send out
queries in parallel. Using 1000 threads, the application may scan a /16 network in
around four minutes.1
parallel_ntp_scan was developed on a Linux system, but I'm guessing
that it can be brought to compile on many unix-like systems.
See comments in the code for details about building.
Scan 192.168.6.1 through 192.168.6.62, using 40 threads:
[user@clientpc dl]$ ./parallel_ntp_scan 192.168.6.0/26 40 Note: Some may find it offensive to scan their network, so make sure you ask for permission before you scan, if you are not the administrator of the indicated network. Enter 'y' to continue. y 3232237063 192.168.6.7 2 3232237061 192.168.6.5 2 3232237088 192.168.6.32 2 3232237086 192.168.6.30 2 3232237087 192.168.6.31 3 3232237090 192.168.6.34 1 3232237083 192.168.6.27 1 3232237084 192.168.6.28 1 3232237085 192.168.6.29 1 3232237095 192.168.6.39 1 3232237105 192.168.6.49 1 3232237107 192.168.6.51 1
The output is tab-separated. The first column is the 32-bit integer representation of the address, allowing for easy subsequent sorting. If run with the
-r option, the application will add another column with the result of a name-lookup.
In the above output, 192.168.6.31 has a rating of 3, meaning that it responds to
monlist queries which allow for amplification and should probably have its configuration adjusted.
The rating values are:
|0||Doesn't respond to any NTP queries.|
|1||Responds to basic NTP time queries, but none of the other query types.|
|2||Responds to the 'loopinfo' query, which some recommend disabling, although it normally doesn't allow for amplification.|
|3||Responds to the 'monlist' query, which has significant amplification potential.|
Running the application with the
--help option will display more examples of how to use different options.
Questions and/or comments may be sent to Troels Arvin.
parallel_ntp_scanto scan a network with more than a handful of addresses, it will initially throttle the traffic, to minimize the risk of network overloads, and to minimize the risk of losing response packets. Throttling inserts a small, random pause into each thread before makes its first query.