parallel_ntp_scan: A parallel NTP scanner

parallel_ntp_scan will scan a network for NTP servers. For each server found, it examines which queries it responds to and rates its risk of being implicated in an amplification DDoS attack.

Using parallel_ntp_scan, you may quickly identify NTP services which have not been hardened against NTP-based amplification attacks.

On most networks, the majority of IP addresses will not respond to NTP queries. Thus, it will take a long time to scan a network, if done sequentially. This is why it's important that parallel_ntp_scan uses threads to send out queries in parallel. Using 1000 threads, the application may scan a /16 network in around four minutes.1

parallel_ntp_scan was developed on a Linux system, but I'm guessing that it can be brought to compile on many unix-like systems. See comments in the code for details about building.


Version 1.1:


Scan through, using 40 threads:

[user@clientpc dl]$ ./parallel_ntp_scan 40
Note: Some may find it offensive to scan their network, so make sure 
you ask for permission before you scan, if you are not the administrator 
of the indicated network.

Enter 'y' to continue. y
3232237063 2
3232237061 2
3232237088    2
3232237086    2
3232237087    3
3232237090    1
3232237083    1
3232237084    1
3232237085    1
3232237095    1
3232237105    1
3232237107    1

The output is tab-separated. The first column is the 32-bit integer representation of the address, allowing for easy subsequent sorting. If run with the -r option, the application will add another column with the result of a name-lookup.

In the above output, has a rating of 3, meaning that it responds to monlist queries which allow for amplification and should probably have its configuration adjusted.

The rating values are:

0Doesn't respond to any NTP queries.
1Responds to basic NTP time queries, but none of the other query types.
2Responds to the 'loopinfo' query, which some recommend disabling, although it normally doesn't allow for amplification.
3Responds to the 'monlist' query, which has significant amplification potential.

Running the application with the --help option will display more examples of how to use different options.


Questions and/or comments may be sent to Troels Arvin.