Semi-urgent: Disable NTP replies?
darren at bluerosetech.com
Tue Feb 18 23:12:37 UTC 2014
On 2/18/2014 2:53 PM, Ronald F. Guilmette wrote:
> I didn't realize it until today, but the games people are out there
> playing nowadays with respect to NTP are now DRASTICALLY affecting me,
> so much so that essentially 100% of my outbound bandwidth was being
> used up just in sending out NTP reply packets... something that I
> had never even intended to do in the first place!
restrict default kod nomodify nopeer noquery notrap
restrict -6 default kod nomodify nopeer noquery notrap
restrict 127.0.0.1 mask 255.0.0.0
restrict -6 ::1
to your /etc/ntp.conf. You should also use ipfw/pf to block unsolicited
udp/123 inbound. If you're serving NTP (i.e., to a LAN), add lines like:
restrict 192.0.2.0 mask 255.255.255.0 nomodify nopeer noquery notrap
restrict -6 2001:db8:: mask ffff:ffff:ffff:ffff:: nomodify nopeer
after the ones above. Where 192.0.2.0/24 and 2001:db8::/64 are replaced
with your actual subnets. The noquery keyword is critical--it disables
the monlist commands (the NTP feature used for the current version of
NTP-based DDoS attacks). The kod keyword tells clients not to try
again, so obviously you want to not have that for your served subnets.
More information about the freebsd-questions