Network Time Protocol (NTP) Mode 6 Query Response Check

Checks if the remote Network Time Protocol (NTP) service has responded to Mode 6 Queries.

If a service supporting NTP is publicly accessible and is responding to Mode 6 Queries it can participate in an Amplification based Distributed Denial of Service (DDoS) attack. An Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publicly accessible NTP services to overwhelm a victim system with response traffic. The basic attack technique consists of an attacker sending a valid query request to a NTP service with the source address spoofed to be the victim's address. When the Memcached server sends the response, it is sent instead to the victim. Attackers will typically first inserting records into the open server to maximize the amplification effect. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid clients, it is especially difficult to block these types of attacks.

The following mitigation possibilities are currently available: - Generally disable public access to the UDP port of this NTP service. - Only allow Mode 6 queries by trusted clients / networks.