Date: Tue, 18 Feb 2014 14:53:20 -0800 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-questions@freebsd.org Subject: Semi-urgent: Disable NTP replies? Message-ID: <2505.1392764000@server1.tristatelogic.com>
next in thread | raw e-mail | index | archive | help
I didn't realize it until today, but the games people are out there playing nowadays with respect to NTP are now DRASTICALLY affecting me, so much so that essentially 100% of my outbound bandwidth was being used up just in sending out NTP reply packets... something that I had never even intended to do in the first place! So, um, I've had to put in a new stopgap ipfw rule, just to stop these bloody &^%$#@ NTP reply packets from leaving my server, but what is that Right Way to solve this problem? I'm guessing that there's something I need to add to my /etc/ntp.conf file in order to tell my local ntpd to simply not accept incoming _query_ packets unlees they are coming from my own LAN, yes? But obviously, I still need it to accept incoming ntp _reply_ packets or else my machine will never know the correct time. Sorry. The answer I'm looking for is undoubtedly listed in an FAQ someplace, but I am very much on edge right at the moment... because I was basiaclly being DDoS'd by all of this stupid NTP traffic... and thus I'm seeking a quick answer. P.S. I am apparently being flooded with incoming NTP (udp/123) packets from *at least* the folliowing 24 IPs: 2.96.19.163 host-2-96-19-163.as13285.net 5.199.142.210 z210.zebra.fastwebserver.de 31.7.58.36 client.customer-aa.net 37.187.132.225 ns402612.ip-37-187-132.eu 37.187.133.51 ns317118.ip-37-187-133.eu 37.221.160.125 ixam-hosting.com 65.32.59.85 653259hfc85.tampabay.res.rr.com 68.192.120.151 ool-44c07897.dyn.optonline.net 69.65.43.36 ip-69.65.43.36.servernap.net 81.111.94.88 cpc6-bsfd8-2-0-cust599.5-3.cable.virginm.net 82.11.90.88 cpc23-acto2-2-0-cust599.4-2.cable.virginm.net 85.159.237.27 86.198.53.109 AAubervilliers-652-1-234-109.w86-198.abo.wanadoo.fr 92.106.200.52 52-200.106-92.cust.bluewin.ch 99.238.42.125 CPE78cd8e6ea140-CM78cd8e6ea13d.cpe.net.cable.rogers.com 121.73.107.79 121-73-107-79.cable.telstraclear.net 151.228.44.248 97e42cf8.skybroadband.com 174.54.78.149 c-174-54-78-149.hsd1.pa.comcast.net 176.100.32.106 web01.intercolo.net 179.181.181.76 179.181.181.76.dynamic.adsl.gvt.net.br 187.85.246.135 187-85-246-135.user.superitelecom.com.br 198.24.164.162 node108.mcprohosting.com 209.141.38.104 212.38.163.85 maid18.multiplay.co.uk To be clear, I *do not* think that I am being targeted, or that anyone is intentionally DDoSing me. Rather, I suspect that I'm just being used as a reflector or something, and that the real intended target is elsewhere. But I *REALLY* don't want to be a reflector, and wouldn't want to be one, even if 100% of my own miniscule outbound bandwidth wasn't being sucked up. P.P.S. Who are these guys (who are actually initiating all this stuff) anyway, and how the bleep did I manage to get on their list? Should I just assume that they have their robots out, 24/7, searching for anything and everything that will send NTP response packets? I guess that's it, yes?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2505.1392764000>