Semi-urgent: Disable NTP replies?

Waitman Gobble gobble.wa at gmail.com
Wed Feb 19 03:03:29 UTC 2014 

On Tue, Feb 18, 2014 at 4:47 PM, Polytropon <freebsd at edvax.de> wrote:

> On Wed, 19 Feb 2014 00:37:18 +0000, Matthew Seaman wrote:
> > On 18/02/2014 22:53, Ronald F. Guilmette wrote:
> > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these
> > > bloody &^%$#@ NTP reply packets from leaving my server, but what is
> > > that Right Way to solve this problem?  I'm guessing that there's
> > > something I need to add to my /etc/ntp.conf file in order to tell
> > > my local ntpd to simply not accept incoming _query_ packets unlees
> > > they are coming from my own LAN, yes?  But obviously, I still need it
> > > to accept incoming ntp _reply_ packets or else my machine will never
> > > know the correct time.
> > >
> > > Sorry.  The answer I'm looking for is undoubtedly listed in an FAQ
> > > someplace, but I am very much on edge right at the moment... because
> > > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and
> > > thus I'm seeking a quick answer.
> >
> > Yep.  This is the latest scumbag trick: sending spoofed packets to ntpd
> > and using it as an amplifier to do a DDoS against some victim.
>
> For those interested in learning more about how this attack
> is being used by scumbags, here are a two links to read:
>
>
> http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
>
>
> http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/
>
> In this case, CloudFlare has been declared the victim.
>
>
> --
> Polytropon
> Magdeburg, Germany
> Happy FreeBSD user since 4.0
> Andra moi ennepe, Mousa, ...
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>


Hi,


The  ntpd in src is Ver. 4.2.4p8, it "seems" to ignore some command line
options and config file options. for example "-I" .. browsing through the
code it looks like this was not completely implemented, there's ground work
there though (please correct me if i'm wrong).

for example: using ntpd from src:

  Flg Arg Option-Name    Description
   -4 no  ipv4           Force IPv4 DNS name resolution
   -6 no  ipv6           Force IPv6 DNS name resolution
- an alternate for ipv4

> ntpd -4
> sockstat | grep ntpd
root     ntpd       55617 3  dgram  -> /var/run/logpriv
root     ntpd       55617 20 udp4   *:123                 *:*
root     ntpd       55617 21 udp6   *:123                 *:*
root     ntpd       55617 22 udp6   ::1:123               *:*
root     ntpd       55617 23 udp6   fe80:2::1:123         *:*
root     ntpd       55617 24 udp4   127.0.0.1:123         *:*
root     ntpd       55617 25 udp4   192.168.0.153:123     *:*


hmmm, it looks like it ignores that flag?


if you go fetch a more modern version, it seems to be working

> ./ntpd --version
ntpd 4.2.7p422 at 1.2483-o Wed Feb 19 02:43:44 UTC 2014 (5)

> ./ntpd -4

> sockstat | grep ntpd
root     ntpd       55631 3  dgram  -> /var/run/logpriv
root     ntpd       55631 20 udp4   127.0.0.1:123         *:*
root     ntpd       55631 21 udp4   192.168.0.153:123     *:*
root     ntpd       55631 23 stream -> ??
root     ntpd       55631 24 stream -> ??


however i cannot seem to get --interface or -I to function?

> ./ntpd -I lo -4
> sockstat | grep ntpd
root     ntpd       55996 3  dgram  -> /var/run/logpriv
root     ntpd       55996 20 udp4   *:123                 *:*
root     ntpd       55996 21 udp4   127.0.0.1:123         *:*
root     ntpd       55996 23 stream -> ??
root     ntpd       55996 24 stream -> ??

> ./ntpd -I 127.0.0.1 -4
> sockstat | grep ntpd
root     ntpd       56032 3  dgram  -> /var/run/logpriv
root     ntpd       56032 20 udp4   *:123                 *:*
root     ntpd       56032 21 udp4   127.0.0.1:123         *:*
root     ntpd       56032 23 stream -> ??
root     ntpd       56032 24 stream -> ??



Hey, one quick hack i found is to kill the 'wildcard' address, in
ntpd/ntp_io.c

        /*
         * create pseudo-interface with wildcard IPv4 address
         */
        v4wild = ipv4_works;
        v4wild = NULL; /* kill the wildcard */

then rebuild.

if we omit the -I interface it listens to every freakin' thing (well -4
works)
> ./ntpd -4
> sockstat | grep ntpd
root     ntpd       55672 3  dgram  -> /var/run/logpriv
root     ntpd       55672 20 udp4   127.0.0.1:123         *:*
root     ntpd       55672 21 udp4   192.168.0.153:123     *:*
root     ntpd       55672 23 stream -> ??
root     ntpd       55672 24 stream -> ??

but with -I lo now it's just listening on lo.

> ./ntpd -I lo -4
[1161] > sockstat | grep ntpd
root     ntpd       55666 3  dgram  -> /var/run/logpriv
root     ntpd       55666 20 udp4   127.0.0.1:123         *:*
root     ntpd       55666 22 stream -> ??
root     ntpd       55666 23 stream -> ??

now it's kind-of only listening on ipv4 loooopback


i'm using
FreeBSD akira.waitman.net 11.0-CURRENT FreeBSD 11.0-CURRENT #1 r261643: Sat
Feb  8 22:11:05 PST 2014     root at akira.waitman.net:/usr/obj/usr/src/sys/AKIRA
 amd64

BUT:

a) the firewall approach is probably smarter
b) maybe a sealed ntpd isn't necessary anyway, why bother with a daemon?
other solutions avail. like ntpdate? what do you think?



-- 
Waitman Gobble
San Jose California USA
510-830-7975

More information about the freebsd-questions mailing list