Knowledge Base

DDoS Attacks on NTP Servers affecting some GNSS receivers

There have recently been widespread attacks by internet gamers on Network Time (NTP) servers - many computers, servers, and devices run these, and some GNSS receivers have proven to be vulnerable.

See this article for a good description of the issue:
NTP Amplification Flaw To Blame For Gaming DDoS Attacks | Threatpost 

Our immediate recommendation is that any new-generation JAVAD or Trimble NetR5, NetR8, or NetR9 GNSS receiver (with firmware versions 4.81 or earlier) that has a direct connection to the internet - i.e. a public IP address with no firewall router, cellular modem or VSAT/BGAN in its communication path - should have its NTP server disabled and/or IP Filtering enabled as soon as possible.

NTP servers are left enabled by default on these devices although only a small minority of users require this functionality.

The server can be disabled in the "Network Configuration -> NTP" tab of a Trimble NetR5, NetR8, or NetR9 on the web interface. The recommended configuration will be:

netr9 ntp server.png

Please see the following Trimble Document for general recommendations regarding the internet security of their devices:
Trimble NetRx Series Receivers: Security Features, Guidelines, and Recommendations

14 February, 2014:  Trimble released firmware version 4.85 for NetR5, NetR8, and NetR9 that eliminates the NTP vulnerablity along with many other features and fixes.  4.85 is currently under formal evaluation by the UNAVCO Development and Testing group and will be posted on appropriate KnowledgeBase pages.  In the meantime qulafied users can download the firmware and find release notes at Trimble's support page.

Any current-generation JAVAD receivers with similar data communications should have their NTP servers moved to an alternate port; (it is not possible to disable the server) using the follwing GREIS commands, the second of which will restart the receiver:


Trimble NetRS and other brands of GNSS receivers do NOT appear to be vulnerable to these attacks,
but we still recommend that all internet security on any device be reviewed for possible vulnerability to this and other threats.

Super-users and system administrators may run a diagnostic command to determine if any given device is vulnerable or under attack to the current NTP (replacing the X's with the IP address or URL of your device)

sudo nmap -sU -pU:123 -Pn -n --script=ntp-monlist XXX.XXX.XXX.XXX

An immediate response that shows a large number of connected servers indicates that the device is currently under attack, while a delayed response indicates that the device is not vulnerable.  

If you are operating any other devices with direct internet exposure you should contact your local IT Staff to determine whether a vulnerability needs to be addressed.

Please subscribe to this article in the upper right corner of this page to be notified of updates.

Attached Files
There are no attachments for this article.
Related Articles RSS Feed
Using external USB memory and logging sessions - Trimble NetR9
Viewed 54547 times since Tue, May 6, 2014
Imaging a Trimble NetRS receiver compact flashcard
Viewed 2280 times since Tue, Mar 31, 2015
DC power cable for the Trimble NetR9
Viewed 15566 times since Tue, Feb 26, 2013
Trimble NetR5 Resource Page
Viewed 9709 times since Tue, Jun 1, 2010
How to build a NetR8 or NetR9 DC power cable
Viewed 2327 times since Wed, Jan 4, 2012
Trimble NetR5, NetR8, NetR9 - Using IP filtering
Viewed 4814 times since Thu, Feb 27, 2014
Trimble NetR5 - Dealer FAQ, February 2006
Viewed 1670 times since Tue, Aug 25, 2009
HTTPS: Firefox workaround for Trimble receivers
Viewed 3016 times since Wed, Jan 25, 2012
Trimble NetR9 Receiver - GSOF Messages
Viewed 5889 times since Thu, May 15, 2014
How to access Trimble NetR9 through USB
Viewed 7168 times since Tue, Aug 2, 2011

Last modified: 2019-12-27  16:36:35  America/Denver