EN
Русский
UDP
Monitoring
Port 123 (NTP)
Learn about port 123 (NTP) - security risks, vulnerabilities, and common uses. Find devices with port 123 open.
Quick Info
Port Number
123
Protocol
UDP
Service
NTP
IANA Name
NTP
Service Description
Network Time Protocol (NTP) is a networking protocol used for clock synchronization between computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123 as its primary transport mechanism. The protocol operates in a hierarchical, semi-layered system of time sources. At the top are authoritative time sources, such as atomic clocks or GPS receivers, which are considered stratum 0. Servers directly connected to these sources are stratum 1, and so on. NTP clients synchronize their clocks with servers at lower stratum levels, forming a tree-like structure. NTP operates by exchanging timestamps between client and server. A client sends a request to a server, noting the transmit timestamp (T1). The server receives the request (T2), processes it, and sends a reply, noting its own transmit timestamp (T3). The client receives the reply (T4). Using these four timestamps, the client can calculate both the round-trip delay and the offset between its clock and the server's clock. The protocol then adjusts the client's clock gradually to minimize the offset, avoiding sudden jumps in time. NTPv4, the current version, supports various modes of operation, including client/server, symmetric active/passive, and broadcast/multicast, allowing for flexible deployment in different network environments.
## Firewall Recommendations
For most end-user systems, outbound UDP port 123 should be allowed to allow the system to synchronize with NTP servers. However, inbound UDP port 123 should be blocked unless the system is acting as an NTP server for other systems. If running an NTP server, carefully configure it to restrict access to authorized clients only and disable the 'monlist' feature to prevent amplification attacks. Regularly update the NTP software to patch any known vulnerabilities. Consider using rate limiting to mitigate potential DDoS attacks. Implement monitoring and logging to detect suspicious activity on the NTP server. If you are not running a public NTP server, consider blocking all inbound UDP traffic on port 123.
## Firewall Recommendations
For most end-user systems, outbound UDP port 123 should be allowed to allow the system to synchronize with NTP servers. However, inbound UDP port 123 should be blocked unless the system is acting as an NTP server for other systems. If running an NTP server, carefully configure it to restrict access to authorized clients only and disable the 'monlist' feature to prevent amplification attacks. Regularly update the NTP software to patch any known vulnerabilities. Consider using rate limiting to mitigate potential DDoS attacks. Implement monitoring and logging to detect suspicious activity on the NTP server. If you are not running a public NTP server, consider blocking all inbound UDP traffic on port 123.
Security Information
NTP, while essential for many systems, has a history of security vulnerabilities. Because NTP servers are often publicly accessible, they can be abused in amplification attacks. In an NTP amplification attack, an attacker sends a small request to an NTP server with a spoofed source IP address (the victim's IP). The server then responds with a much larger packet to the spoofed address, effectively amplifying the attacker's traffic and overwhelming the victim. Furthermore, vulnerabilities in the NTP daemon itself can allow attackers to execute arbitrary code on the server, potentially compromising the entire system or network. The protocol's complexity and long history contribute to the ongoing discovery of new vulnerabilities. Unpatched NTP servers are prime targets for attackers seeking to launch DDoS attacks or gain unauthorized access to systems.
Known Vulnerabilities
| CVE | Name | Severity | Description |
|---|---|---|---|
| CVE-2014-9295 | NTP: Обработка пакетов с опцией расширения KoD | Medium | NTP daemon (ntpd) до версии 4.2.8p1 позволяет удаленным злоумышленникам вызвать отказ в обслуживании (истощение пакетов) посредством отправки пакетов с опцией расширения KoD (Kiss-of-Death). |
| CVE-2015-5194 | NTP: Переполнение буфера в ntpq | High | ntpq в NTP до версии 4.2.8p4, при включенном режиме аутентификации, позволяет удаленным злоумышленникам вызвать отказ в обслуживании (падение процесса) или, возможно, выполнить произвольный код посредством длинного ответа от NTP сервера. |
| CVE-2016-1547 | NTP: Уязвимость обхода аутентификации | Critical | NTP до версии 4.2.8p7 позволяет удаленным злоумышленникам обходить аутентификацию и отправлять произвольные команды, используя ключ по умолчанию MD5. |
| CVE-2019-8936 | ntpd: Память, не используемая в ntp_proto.c | Medium | Утечка памяти в ntp_proto.c в ntpd 4.2.8p12 и более ранних версиях может позволить злоумышленнику вызвать отказ в обслуживании (истощение памяти) путем отправки специально созданных пакетов. |
Common Software
- ntpd (NTP daemon)
- chronyd
- Windows Time service (w32time)
- NTPsec
- Meinberg NTP
- Network Time Protocol (NTP) Client
- systemd-timesyncd
- time.apple.com
- pool.ntp.org
- NTPdate
Find all devices with port 123 open
ScaniteX scans millions of IPs to find devices with specific ports open. Perfect for security research and network auditing.
Start Mass Scanning