NetFort Advertising

How to tell the difference between normal NTP traffic and DDoS NTP traffic

Monitor Network Traffic

Normal NTP traffic vs. DDoS NTP traffic

Yet again, DDoS attacks were in the news when the recent Dyn outage took a lot of popular websites and services offline. DDoS attacks of this nature are an ever present threat and are similar to ones which shutdown a number of government and college networks earlier this year.  I covered this attack in an earlier blog post which looked at the forensic analysis of a DDoS attack.

Each of these attacks used spoofed packets based on UDP protocols like NTP or DNS. Both of these protocols are vital when it comes to data communications, so we cannot just switch them off. What we all need to do is monitor network traffic on our networks and watch out for suspicious activity.

If you want to carry out detailed forensics on current and past events, packet capture is the recommended approach, as it will enable you to look at packet payloads which can reveal a lot about the nature of the attack. A SPAN, mirror port or network TAP are the most popular methods for getting a source of network packets.

Take a look at this short video, as it explains the basics of what you need to do to monitor Internet traffic on your network.

How to tell the difference between normal NTP and DDoS NTP traffic

Firstly, let us take a look at what a snapshot of normal NTP traffic looks like on a network. The screen shot below was taken from a LANGuardian system which was monitoring all traffic at the edge of a busy network.

Normal NTP Traffic
  1. The first thing we see is random external IP addresses sending UDP packets. This would suggest that this network is hosting open NTP servers. Unless, there is a specific reason for this, I would not allow inbound queries like these.
  2. The destination IP address is local to this network. I have blurred some of the information as it has IP addresses associated with this specific network.
  3. The destination port is 123 which is associated with NTP.
  4. The total amount of data sent back to the queries is small or zero in some cases. This is normal when it comes to NTP.

Now, lets take a look at NTP traffic associated with a DDoS attack. The image below was taken from the same network when it was targeted with a DDoS attack. The initial symptom was high CPU usage on firewalls which then lead to network congestion when Internet links became swamped with traffic. What was also interesting is the firewall logs were inaccessible, so it was vital, that we had a separate network traffic monitoring tool in place.

DDoS NTP traffic
  1. Random external source addresses. Nothing unusual here other than the question if this network should be providing open NTP services
  2. The destination IP is located inside this network. Note that the source IP is probably spoofed by the attackers. This is not the IP address of their system so its pointless blocking these source IP addresses.
  3. Targeted service is NTP.
  4. The crucial info is in the received column. Here, we can see that for a small amount of sent traffic there is a large reply. 18KB may not seem like a lot but when you have millions of queries it can add up to a massive DDoS NTP traffic attack.


  • Not matter what size of network you are responsible for, you need to monitor network traffic.
  • Don’t rely on log files as they may not be accessible if your network comes under attack.
  • Watch out for suspicious activity like DDoS NTP traffic where the received totals are much higher than what is been sent.
  • Make changes to firewall rules based on your findings. If you run public services inside your network, move them to a DMZ or block access if it something that should not be in place.

To find out if LANGuardian is the right solution for your business, visit

About NetFort

NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring,bandwidth monitoring, wire data analytics, network forensics to packet capture.

To see LANGuardian in action – try our interactive demo today!