Semi-urgent: Disable NTP replies?

Al Plant noc at hdk5.net
Thu Feb 20 22:46:59 UTC 2014 

Matthew Seaman wrote:
> On 18/02/2014 22:53, Ronald F. Guilmette wrote:
>> So, um, I've had to put in a new stopgap ipfw rule, just to stop these
>> bloody &^%$#@ NTP reply packets from leaving my server, but what is
>> that Right Way to solve this problem?  I'm guessing that there's
>> something I need to add to my /etc/ntp.conf file in order to tell
>> my local ntpd to simply not accept incoming _query_ packets unlees
>> they are coming from my own LAN, yes?  But obviously, I still need it
>> to accept incoming ntp _reply_ packets or else my machine will never
>> know the correct time.
>>
>> Sorry.  The answer I'm looking for is undoubtedly listed in an FAQ
>> someplace, but I am very much on edge right at the moment... because
>> I was basiaclly being DDoS'd by all of this stupid NTP traffic... and
>> thus I'm seeking a quick answer.
> 
> Yep.  This is the latest scumbag trick: sending spoofed packets to ntpd
> and using it as an amplifier to do a DDoS against some victim.
> 
> What you need to do is described here:
> 
>     http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc
> 
> but in summary your actions should be one or more of:
> 
>     * upgrade to a version of ntpd that does not respond to 'monlist'
>       queries.  Any -RELEASE or -STABLE version post the publication of
>       that advisory should do the trick, or you can use ntpd-devel from
>       ports.
> 
>     * Firewall off your ntpd instances from accessibility from the
>       internet.
> 
>     * Modify your /etc/ntp.conf to disallow most foreign connectivity to
>       your ntpd instances.
> 
> The config changes required for that last are something along the
> following lines, to be added to /etc/ntp.conf:
> 
> restrict -4 default nomodify nopeer noquery notrap
> restrict -6 default nomodify nopeer noquery notrap
> restrict 127.0.0.1
> restrict -6 ::1
> restrict 127.127.1.0
> 
> If you can swing it,
> 
> restrict -4 default ignore
> restrict -6 default ignore
> 
> would be even better, but you will also need to add lines permitting
> appropriate traffic to and from timeservers on the network by the
> servers' IP number.  This does mean you can't use the ntp.org time
> server pools without significant faffing around, as the ntp.org
> timeservers are pooled ang you tend to get a different IP
> 
> 	Cheers,
> 
> 	Matthew
> 
##################


Thanks to Matthew, Poly and all who posted the fixes for the NTP attack 
issue.

I had one old mail server that seemed to attract the attack and the fix 
worked.

I switched from the pool 1. 2. 3. ntp servers to a military one, and a 
local university of Hawaii one. I have used them for a while already on 
several of my desk tops as a check boot time.Both are clean.

Again Thanks,


~Al Plant - Honolulu, Hawaii -  Phone:  808-284-2740
   + http://hawaiidakine.com + http://freebsdinfo.org +
   + http://aloha50.net   - Supporting - FreeBSD  7.2 - 8.0 - 9* +
   < email: noc at hdk5.net >
"All that's really worth doing is what we do for others."- Lewis Carrol

More information about the freebsd-questions mailing list