Port 123 (UDP) – NTP

What runs on port 123?

Port 123 carries NTP (Network Time Protocol), which keeps system clocks synchronized across a network by exchanging timestamps with upstream time sources. Accurate time underpins TLS certificate validation, Kerberos authentication, log correlation, and scheduled jobs, so NTP runs on servers, network devices, and appliances throughout an environment, frequently as both client and server.

Why it matters for security

NTP is famous for amplification DDoS. Older ntpd builds answer the monlist command (mode 7) with a long list of recent clients, turning a small spoofed query into a massive response aimed at a victim — the basis of CVE-2013-5211. Beyond DDoS, manipulating time is itself an attack: shifting a host's clock can invalidate certificates, expire or replay Kerberos tickets, and corrupt the timestamps that security logs depend on.

How it's attacked

Attackers scan for open NTP servers that still honor monlist, then reflect spoofed-source queries to flood victims with amplified traffic. They also send spoofed time responses to skew or stall a target's clock, breaking TLS and Kerberos or masking the timing of an intrusion. Mode 6/7 queries are further abused for reconnaissance about a server's peers and configuration.

Hardening checklist

Disable monlist and restrict mode 6/7 queries with noquery, or upgrade to ntpd 4.2.7p26+ or chrony, which drop the dangerous command. Apply restrict directives to control who can query and modify the service, and authenticate peers with symmetric keys or NTS. At the network edge, rate-limit NTP and filter spoofed source addresses (BCP 38). The nmap snippet above checks for monlist exposure on servers you are authorized to test.