From owner-freebsd-questions@FreeBSD.ORG Tue Feb 18 23:12:37 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 23E4C76A for ; Tue, 18 Feb 2014 23:12:37 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [204.109.60.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F03FE11C1 for ; Tue, 18 Feb 2014 23:12:35 +0000 (UTC) Received: from chombo.houseloki.net (c-76-115-19-22.hsd1.or.comcast.net [76.115.19.22]) by luigi.brtsvcs.net (Postfix) with ESMTPSA id 432772D4FD4; Tue, 18 Feb 2014 15:12:35 -0800 (PST) Received: from [IPv6:2601:7:880:bd0:4dc6:fe9a:fceb:5eeb] (unknown [IPv6:2601:7:880:bd0:4dc6:fe9a:fceb:5eeb]) by chombo.houseloki.net (Postfix) with ESMTPSA id 905572F9; Tue, 18 Feb 2014 15:12:33 -0800 (PST) Message-ID: <5303E8E5.5070508@bluerosetech.com> Date: Tue, 18 Feb 2014 15:12:37 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: "Ronald F. Guilmette" , freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? References: <2505.1392764000@server1.tristatelogic.com> In-Reply-To: <2505.1392764000@server1.tristatelogic.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 23:12:37 -0000 On 2/18/2014 2:53 PM, Ronald F. Guilmette wrote: > > I didn't realize it until today, but the games people are out there > playing nowadays with respect to NTP are now DRASTICALLY affecting me, > so much so that essentially 100% of my outbound bandwidth was being > used up just in sending out NTP reply packets... something that I > had never even intended to do in the first place! Add: restrict default kod nomodify nopeer noquery notrap restrict -6 default kod nomodify nopeer noquery notrap restrict 127.0.0.1 mask 255.0.0.0 restrict -6 ::1 to your /etc/ntp.conf. You should also use ipfw/pf to block unsolicited udp/123 inbound. If you're serving NTP (i.e., to a LAN), add lines like: restrict 192.0.2.0 mask 255.255.255.0 nomodify nopeer noquery notrap restrict -6 2001:db8:: mask ffff:ffff:ffff:ffff:: nomodify nopeer noquery notrap after the ones above. Where 192.0.2.0/24 and 2001:db8::/64 are replaced with your actual subnets. The noquery keyword is critical--it disables the monlist commands (the NTP feature used for the current version of NTP-based DDoS attacks). The kod keyword tells clients not to try again, so obviously you want to not have that for your served subnets.