Date: Tue, 18 Feb 2014 15:18:03 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <CAHu1Y71jpZEwUHE=TOmLt3BpHcJEmCC=egPmWBGYUBcSe65zHw@mail.gmail.com> In-Reply-To: <2505.1392764000@server1.tristatelogic.com> References: <2505.1392764000@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
If you want to prevent your ntp process from being used in DDOS reflection attacks, just put this directive in the ntp.conf file: disable monitor You don't necessarily have to restrict access for normal queries (unless you want to). google: +ntp +reflection +ddos On Tue, Feb 18, 2014 at 2:53 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote: > > I didn't realize it until today, but the games people are out there > playing nowadays with respect to NTP are now DRASTICALLY affecting me, > so much so that essentially 100% of my outbound bandwidth was being > used up just in sending out NTP reply packets... something that I > had never even intended to do in the first place! > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > bloody &^%$#@ NTP reply packets from leaving my server, but what is > that Right Way to solve this problem? I'm guessing that there's > something I need to add to my /etc/ntp.conf file in order to tell > my local ntpd to simply not accept incoming _query_ packets unlees > they are coming from my own LAN, yes? But obviously, I still need it > to accept incoming ntp _reply_ packets or else my machine will never > know the correct time. > > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > someplace, but I am very much on edge right at the moment... because > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > thus I'm seeking a quick answer. > > > P.S. I am apparently being flooded with incoming NTP (udp/123) packets > from *at least* the folliowing 24 IPs: > > 2.96.19.163 host-2-96-19-163.as13285.net > 5.199.142.210 z210.zebra.fastwebserver.de > 31.7.58.36 client.customer-aa.net > 37.187.132.225 ns402612.ip-37-187-132.eu > 37.187.133.51 ns317118.ip-37-187-133.eu > 37.221.160.125 ixam-hosting.com > 65.32.59.85 653259hfc85.tampabay.res.rr.com > 68.192.120.151 ool-44c07897.dyn.optonline.net > 69.65.43.36 ip-69.65.43.36.servernap.net > 81.111.94.88 cpc6-bsfd8-2-0-cust599.5-3.cable.virginm.net > 82.11.90.88 cpc23-acto2-2-0-cust599.4-2.cable.virginm.net > 85.159.237.27 > 86.198.53.109 AAubervilliers-652-1-234-109.w86-198.abo.wanadoo.fr > 92.106.200.52 52-200.106-92.cust.bluewin.ch > 99.238.42.125 CPE78cd8e6ea140-CM78cd8e6ea13d.cpe.net.cable.rogers.com > 121.73.107.79 121-73-107-79.cable.telstraclear.net > 151.228.44.248 97e42cf8.skybroadband.com > 174.54.78.149 c-174-54-78-149.hsd1.pa.comcast.net > 176.100.32.106 web01.intercolo.net > 179.181.181.76 179.181.181.76.dynamic.adsl.gvt.net.br > 187.85.246.135 187-85-246-135.user.superitelecom.com.br > 198.24.164.162 node108.mcprohosting.com > 209.141.38.104 > 212.38.163.85 maid18.multiplay.co.uk > > > To be clear, I *do not* think that I am being targeted, or that anyone > is intentionally DDoSing me. Rather, I suspect that I'm just being > used as a reflector or something, and that the real intended target > is elsewhere. > > But I *REALLY* don't want to be a reflector, and wouldn't want to be one, > even if 100% of my own miniscule outbound bandwidth wasn't being sucked up. > > P.P.S. Who are these guys (who are actually initiating all this stuff) > anyway, and how the bleep did I manage to get on their list? > > Should I just assume that they have their robots out, 24/7, searching > for anything and everything that will send NTP response packets? I > guess that's it, yes? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71jpZEwUHE=TOmLt3BpHcJEmCC=egPmWBGYUBcSe65zHw>