Semi-urgent: Disable NTP replies?

Matthew Seaman matthew at FreeBSD.org
Wed Feb 19 00:38:12 UTC 2014 

On 18/02/2014 22:53, Ronald F. Guilmette wrote:
> So, um, I've had to put in a new stopgap ipfw rule, just to stop these
> bloody &^%$#@ NTP reply packets from leaving my server, but what is
> that Right Way to solve this problem?  I'm guessing that there's
> something I need to add to my /etc/ntp.conf file in order to tell
> my local ntpd to simply not accept incoming _query_ packets unlees
> they are coming from my own LAN, yes?  But obviously, I still need it
> to accept incoming ntp _reply_ packets or else my machine will never
> know the correct time.
> 
> Sorry.  The answer I'm looking for is undoubtedly listed in an FAQ
> someplace, but I am very much on edge right at the moment... because
> I was basiaclly being DDoS'd by all of this stupid NTP traffic... and
> thus I'm seeking a quick answer.

Yep.  This is the latest scumbag trick: sending spoofed packets to ntpd
and using it as an amplifier to do a DDoS against some victim.

What you need to do is described here:

    http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc

but in summary your actions should be one or more of:

    * upgrade to a version of ntpd that does not respond to 'monlist'
      queries.  Any -RELEASE or -STABLE version post the publication of
      that advisory should do the trick, or you can use ntpd-devel from
      ports.

    * Firewall off your ntpd instances from accessibility from the
      internet.

    * Modify your /etc/ntp.conf to disallow most foreign connectivity to
      your ntpd instances.

The config changes required for that last are something along the
following lines, to be added to /etc/ntp.conf:

restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0

If you can swing it,

restrict -4 default ignore
restrict -6 default ignore

would be even better, but you will also need to add lines permitting
appropriate traffic to and from timeservers on the network by the
servers' IP number.  This does mean you can't use the ntp.org time
server pools without significant faffing around, as the ntp.org
timeservers are pooled ang you tend to get a different IP

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1036 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140219/4b5186b4/attachment.sig>

More information about the freebsd-questions mailing list