Date: Tue, 18 Feb 2014 15:12:37 -0800 From: Darren Pilgrim <darren@bluerosetech.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <5303E8E5.5070508@bluerosetech.com> In-Reply-To: <2505.1392764000@server1.tristatelogic.com> References: <2505.1392764000@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/18/2014 2:53 PM, Ronald F. Guilmette wrote: > > I didn't realize it until today, but the games people are out there > playing nowadays with respect to NTP are now DRASTICALLY affecting me, > so much so that essentially 100% of my outbound bandwidth was being > used up just in sending out NTP reply packets... something that I > had never even intended to do in the first place! Add: restrict default kod nomodify nopeer noquery notrap restrict -6 default kod nomodify nopeer noquery notrap restrict 127.0.0.1 mask 255.0.0.0 restrict -6 ::1 to your /etc/ntp.conf. You should also use ipfw/pf to block unsolicited udp/123 inbound. If you're serving NTP (i.e., to a LAN), add lines like: restrict 192.0.2.0 mask 255.255.255.0 nomodify nopeer noquery notrap restrict -6 2001:db8:: mask ffff:ffff:ffff:ffff:: nomodify nopeer noquery notrap after the ones above. Where 192.0.2.0/24 and 2001:db8::/64 are replaced with your actual subnets. The noquery keyword is critical--it disables the monlist commands (the NTP feature used for the current version of NTP-based DDoS attacks). The kod keyword tells clients not to try again, so obviously you want to not have that for your served subnets.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5303E8E5.5070508>