parallel_ntp_scan: A parallel NTP scanner

parallel_ntp_scan will scan a network for NTP servers. For each server found, it examines which queries it responds to and rates its risk of being implicated in an amplification DDoS attack.

Using parallel_ntp_scan, you may quickly identify NTP services which have not been hardened against NTP-based amplification attacks.

On most networks, the majority of IP addresses will not respond to NTP queries. Thus, it will take a long time to scan a network, if done sequentially. This is why it's important that parallel_ntp_scan uses threads to send out queries in parallel. Using 1000 threads, the application may scan a /16 network in around four minutes.¹

parallel_ntp_scan was developed on a Linux system, but I'm guessing that it can be brought to compile on many unix-like systems. See comments in the code for details about building.

Download

Version 1.1:

• C++ source code.
  Your g++ version needs to be relatively modern (e.g. later than what RHEL 6 ships), and your Boost installation will need to be built with threading support.
  You may also view a syntax-highlighted version of the code.
   
• Statically compiled binary which will run on reasonably modern x86_64 Linux systems, without a need to have Boost installed.
  It is known to run on RHEL 6.3+ and SLES 11.2+.
  Unfortunately, the statically built binary may have trouble on some systems, if you turn on name resolving. The code has details about this.

Example

Scan 192.168.6.1 through 192.168.6.62, using 40 threads:

[user@clientpc dl]$ ./parallel_ntp_scan 192.168.6.0/26 40
Note: Some may find it offensive to scan their network, so make sure 
you ask for permission before you scan, if you are not the administrator 
of the indicated network.

Enter 'y' to continue. y
3232237063  192.168.6.7 2
3232237061  192.168.6.5 2
3232237088  192.168.6.32    2
3232237086  192.168.6.30    2
3232237087  192.168.6.31    3
3232237090  192.168.6.34    1
3232237083  192.168.6.27    1
3232237084  192.168.6.28    1
3232237085  192.168.6.29    1
3232237095  192.168.6.39    1
3232237105  192.168.6.49    1
3232237107  192.168.6.51    1

The output is tab-separated. The first column is the 32-bit integer representation of the address, allowing for easy subsequent sorting. If run with the -r option, the application will add another column with the result of a name-lookup.

In the above output, 192.168.6.31 has a rating of 3, meaning that it responds to monlist queries which allow for amplification and should probably have its configuration adjusted.

The rating values are:

Running the application with the --help option will display more examples of how to use different options.

Feedback

Questions and/or comments may be sent to Troels Arvin.

Notes:

• If you ask parallel_ntp_scan to scan a network with more than a handful of addresses, it will initially throttle the traffic, to minimize the risk of network overloads, and to minimize the risk of losing response packets. Throttling inserts a small, random pause into each thread before makes its first query.