Semi-urgent: Disable NTP replies?
Michael Sierchio
kudzu at tenebras.com
Tue Feb 18 23:18:05 UTC 2014
If you want to prevent your ntp process from being used in DDOS
reflection attacks, just put this directive in the ntp.conf file:
disable monitor
You don't necessarily have to restrict access for normal queries
(unless you want to).
google: +ntp +reflection +ddos
On Tue, Feb 18, 2014 at 2:53 PM, Ronald F. Guilmette
<rfg at tristatelogic.com> wrote:
>
> I didn't realize it until today, but the games people are out there
> playing nowadays with respect to NTP are now DRASTICALLY affecting me,
> so much so that essentially 100% of my outbound bandwidth was being
> used up just in sending out NTP reply packets... something that I
> had never even intended to do in the first place!
>
> So, um, I've had to put in a new stopgap ipfw rule, just to stop these
> bloody &^%$#@ NTP reply packets from leaving my server, but what is
> that Right Way to solve this problem? I'm guessing that there's
> something I need to add to my /etc/ntp.conf file in order to tell
> my local ntpd to simply not accept incoming _query_ packets unlees
> they are coming from my own LAN, yes? But obviously, I still need it
> to accept incoming ntp _reply_ packets or else my machine will never
> know the correct time.
>
> Sorry. The answer I'm looking for is undoubtedly listed in an FAQ
> someplace, but I am very much on edge right at the moment... because
> I was basiaclly being DDoS'd by all of this stupid NTP traffic... and
> thus I'm seeking a quick answer.
>
>
> P.S. I am apparently being flooded with incoming NTP (udp/123) packets
> from *at least* the folliowing 24 IPs:
>
> 2.96.19.163 host-2-96-19-163.as13285.net
> 5.199.142.210 z210.zebra.fastwebserver.de
> 31.7.58.36 client.customer-aa.net
> 37.187.132.225 ns402612.ip-37-187-132.eu
> 37.187.133.51 ns317118.ip-37-187-133.eu
> 37.221.160.125 ixam-hosting.com
> 65.32.59.85 653259hfc85.tampabay.res.rr.com
> 68.192.120.151 ool-44c07897.dyn.optonline.net
> 69.65.43.36 ip-69.65.43.36.servernap.net
> 81.111.94.88 cpc6-bsfd8-2-0-cust599.5-3.cable.virginm.net
> 82.11.90.88 cpc23-acto2-2-0-cust599.4-2.cable.virginm.net
> 85.159.237.27
> 86.198.53.109 AAubervilliers-652-1-234-109.w86-198.abo.wanadoo.fr
> 92.106.200.52 52-200.106-92.cust.bluewin.ch
> 99.238.42.125 CPE78cd8e6ea140-CM78cd8e6ea13d.cpe.net.cable.rogers.com
> 121.73.107.79 121-73-107-79.cable.telstraclear.net
> 151.228.44.248 97e42cf8.skybroadband.com
> 174.54.78.149 c-174-54-78-149.hsd1.pa.comcast.net
> 176.100.32.106 web01.intercolo.net
> 179.181.181.76 179.181.181.76.dynamic.adsl.gvt.net.br
> 187.85.246.135 187-85-246-135.user.superitelecom.com.br
> 198.24.164.162 node108.mcprohosting.com
> 209.141.38.104
> 212.38.163.85 maid18.multiplay.co.uk
>
>
> To be clear, I *do not* think that I am being targeted, or that anyone
> is intentionally DDoSing me. Rather, I suspect that I'm just being
> used as a reflector or something, and that the real intended target
> is elsewhere.
>
> But I *REALLY* don't want to be a reflector, and wouldn't want to be one,
> even if 100% of my own miniscule outbound bandwidth wasn't being sucked up.
>
> P.P.S. Who are these guys (who are actually initiating all this stuff)
> anyway, and how the bleep did I manage to get on their list?
>
> Should I just assume that they have their robots out, 24/7, searching
> for anything and everything that will send NTP response packets? I
> guess that's it, yes?
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list