How to configure Network Time Protocol (NTP) Mode 6 Scanner in Cisco Switches?

A vulnerability in Network Time Protocol (NTP) package of Cisco IOS. Resolve an issue with (Network Time Protocol (NTP) Mode 6 Scanner).

Vulnerability: Network Time Protocol (NTP) Mode 6 denial-of-service vulnerability


Description: The remote NTP server responds to mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. Attacker would have to send a massive amount of mode 6 messages to a huge number of recipient servers or clients in your organization.


Impact: An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition.

 Network Time Protocol (NTP) to perform massive Reflection DDoS attack


Notes for Cisco IOS Catalyst Switch devices:

Authenticated NTP time updates can be configured on Cisco Catalyst Switch devices with the following commands:

#ntp authenticate

#ntp authentication-key key-num md5 key-string

#ntp server ip-address key key-num [prefer]

If access restrictions are in place, you will need to ensure that you allow time synchronization with the following command

#ntp access-group peer acl

NTP Mode 6 netsecaddict




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at

Up ↑

%d bloggers like this: