Semi-urgent: Disable NTP replies?

Darren Pilgrim darren at
Tue Feb 18 23:12:37 UTC 2014

On 2/18/2014 2:53 PM, Ronald F. Guilmette wrote:
> I didn't realize it until today, but the games people are out there
> playing nowadays with respect to NTP are now DRASTICALLY affecting me,
> so much so that essentially 100% of my outbound bandwidth was being
> used up just in sending out NTP reply packets... something that I
> had never even intended to do in the first place!


restrict default kod nomodify nopeer noquery notrap
restrict -6 default kod nomodify nopeer noquery notrap
restrict mask
restrict -6 ::1

to your /etc/ntp.conf.  You should also use ipfw/pf to block unsolicited 
udp/123 inbound.  If you're serving NTP (i.e., to a LAN), add lines like:

restrict mask nomodify nopeer noquery notrap
restrict -6 2001:db8:: mask ffff:ffff:ffff:ffff:: nomodify nopeer 
noquery notrap

after the ones above.  Where and 2001:db8::/64 are replaced 
with your actual subnets.  The noquery keyword is critical--it disables 
the monlist commands (the NTP feature used for the current version of 
NTP-based DDoS attacks).  The kod keyword tells clients not to try 
again, so obviously you want to not have that for your served subnets.

More information about the freebsd-questions mailing list