Semi-urgent: Disable NTP replies?
noc at hdk5.net
Thu Feb 20 22:46:59 UTC 2014
Matthew Seaman wrote:
> On 18/02/2014 22:53, Ronald F. Guilmette wrote:
>> So, um, I've had to put in a new stopgap ipfw rule, just to stop these
>> bloody &^%$#@ NTP reply packets from leaving my server, but what is
>> that Right Way to solve this problem? I'm guessing that there's
>> something I need to add to my /etc/ntp.conf file in order to tell
>> my local ntpd to simply not accept incoming _query_ packets unlees
>> they are coming from my own LAN, yes? But obviously, I still need it
>> to accept incoming ntp _reply_ packets or else my machine will never
>> know the correct time.
>> Sorry. The answer I'm looking for is undoubtedly listed in an FAQ
>> someplace, but I am very much on edge right at the moment... because
>> I was basiaclly being DDoS'd by all of this stupid NTP traffic... and
>> thus I'm seeking a quick answer.
> Yep. This is the latest scumbag trick: sending spoofed packets to ntpd
> and using it as an amplifier to do a DDoS against some victim.
> What you need to do is described here:
> but in summary your actions should be one or more of:
> * upgrade to a version of ntpd that does not respond to 'monlist'
> queries. Any -RELEASE or -STABLE version post the publication of
> that advisory should do the trick, or you can use ntpd-devel from
> * Firewall off your ntpd instances from accessibility from the
> * Modify your /etc/ntp.conf to disallow most foreign connectivity to
> your ntpd instances.
> The config changes required for that last are something along the
> following lines, to be added to /etc/ntp.conf:
> restrict -4 default nomodify nopeer noquery notrap
> restrict -6 default nomodify nopeer noquery notrap
> restrict 127.0.0.1
> restrict -6 ::1
> restrict 127.127.1.0
> If you can swing it,
> restrict -4 default ignore
> restrict -6 default ignore
> would be even better, but you will also need to add lines permitting
> appropriate traffic to and from timeservers on the network by the
> servers' IP number. This does mean you can't use the ntp.org time
> server pools without significant faffing around, as the ntp.org
> timeservers are pooled ang you tend to get a different IP
Thanks to Matthew, Poly and all who posted the fixes for the NTP attack
I had one old mail server that seemed to attract the attack and the fix
I switched from the pool 1. 2. 3. ntp servers to a military one, and a
local university of Hawaii one. I have used them for a while already on
several of my desk tops as a check boot time.Both are clean.
~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740
+ http://hawaiidakine.com + http://freebsdinfo.org +
+ http://aloha50.net - Supporting - FreeBSD 7.2 - 8.0 - 9* +
< email: noc at hdk5.net >
"All that's really worth doing is what we do for others."- Lewis Carrol
More information about the freebsd-questions