From owner-freebsd-questions@FreeBSD.ORG Tue Feb 18 23:18:05 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 28F4E94A for ; Tue, 18 Feb 2014 23:18:05 +0000 (UTC) Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E51FE1205 for ; Tue, 18 Feb 2014 23:18:04 +0000 (UTC) Received: by mail-oa0-f54.google.com with SMTP id i4so20386868oah.27 for ; Tue, 18 Feb 2014 15:18:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=HwGM/jm5/2Bpb0llM1t1q3xbyqloEqxzbD3SwmFqMTM=; b=S4pwfQ/V1omg+HBo6wEKrIZ7Qdi52FeWZwk20HF20omb+uD/jSY+HwK9oMUCRW7Yt/ yiprM0yr0Blexb+gYucvLMJhH1T9XFhGSzM37ddEvDiKRIsYQnTVqUeIHLUkRuA7mR6a IcMZ2C5RM5j2mk2erl/o8xir1ko2+L3e0GXHHhDhwOc8fvDor7/3FXhIdaNumdpKX/RK lvV7tiFm6ldVDRcuwnLu9oQZznLyZIIDRh0YBBYjjQO+mPeJ3N1U1vj37XM+Dx1zEOIh PBL8wy9ABTbCzkQwf3fnkswiiEzDsiZFl/0JfgspBIgsSyAmuyKXok5hBOcm9r+jInUK v0Rw== X-Gm-Message-State: ALoCoQkxVBBe1yqaKsrguEnhpv3FyeGFOXfIwSmWXuUdCz3HJG6SdRVMGCJiBOUOuvZonVXW3bDp MIME-Version: 1.0 X-Received: by 10.182.158.71 with SMTP id ws7mr28581422obb.6.1392765483421; Tue, 18 Feb 2014 15:18:03 -0800 (PST) Received: by 10.60.21.38 with HTTP; Tue, 18 Feb 2014 15:18:03 -0800 (PST) In-Reply-To: <2505.1392764000@server1.tristatelogic.com> References: <2505.1392764000@server1.tristatelogic.com> Date: Tue, 18 Feb 2014 15:18:03 -0800 Message-ID: Subject: Re: Semi-urgent: Disable NTP replies? From: Michael Sierchio To: "Ronald F. Guilmette" Content-Type: text/plain; charset=ISO-8859-1 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 23:18:05 -0000 If you want to prevent your ntp process from being used in DDOS reflection attacks, just put this directive in the ntp.conf file: disable monitor You don't necessarily have to restrict access for normal queries (unless you want to). google: +ntp +reflection +ddos On Tue, Feb 18, 2014 at 2:53 PM, Ronald F. Guilmette wrote: > > I didn't realize it until today, but the games people are out there > playing nowadays with respect to NTP are now DRASTICALLY affecting me, > so much so that essentially 100% of my outbound bandwidth was being > used up just in sending out NTP reply packets... something that I > had never even intended to do in the first place! > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > bloody &^%$#@ NTP reply packets from leaving my server, but what is > that Right Way to solve this problem? I'm guessing that there's > something I need to add to my /etc/ntp.conf file in order to tell > my local ntpd to simply not accept incoming _query_ packets unlees > they are coming from my own LAN, yes? But obviously, I still need it > to accept incoming ntp _reply_ packets or else my machine will never > know the correct time. > > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > someplace, but I am very much on edge right at the moment... because > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > thus I'm seeking a quick answer. > > > P.S. I am apparently being flooded with incoming NTP (udp/123) packets > from *at least* the folliowing 24 IPs: > > 2.96.19.163 host-2-96-19-163.as13285.net > 5.199.142.210 z210.zebra.fastwebserver.de > 31.7.58.36 client.customer-aa.net > 37.187.132.225 ns402612.ip-37-187-132.eu > 37.187.133.51 ns317118.ip-37-187-133.eu > 37.221.160.125 ixam-hosting.com > 65.32.59.85 653259hfc85.tampabay.res.rr.com > 68.192.120.151 ool-44c07897.dyn.optonline.net > 69.65.43.36 ip-69.65.43.36.servernap.net > 81.111.94.88 cpc6-bsfd8-2-0-cust599.5-3.cable.virginm.net > 82.11.90.88 cpc23-acto2-2-0-cust599.4-2.cable.virginm.net > 85.159.237.27 > 86.198.53.109 AAubervilliers-652-1-234-109.w86-198.abo.wanadoo.fr > 92.106.200.52 52-200.106-92.cust.bluewin.ch > 99.238.42.125 CPE78cd8e6ea140-CM78cd8e6ea13d.cpe.net.cable.rogers.com > 121.73.107.79 121-73-107-79.cable.telstraclear.net > 151.228.44.248 97e42cf8.skybroadband.com > 174.54.78.149 c-174-54-78-149.hsd1.pa.comcast.net > 176.100.32.106 web01.intercolo.net > 179.181.181.76 179.181.181.76.dynamic.adsl.gvt.net.br > 187.85.246.135 187-85-246-135.user.superitelecom.com.br > 198.24.164.162 node108.mcprohosting.com > 209.141.38.104 > 212.38.163.85 maid18.multiplay.co.uk > > > To be clear, I *do not* think that I am being targeted, or that anyone > is intentionally DDoSing me. Rather, I suspect that I'm just being > used as a reflector or something, and that the real intended target > is elsewhere. > > But I *REALLY* don't want to be a reflector, and wouldn't want to be one, > even if 100% of my own miniscule outbound bandwidth wasn't being sucked up. > > P.P.S. Who are these guys (who are actually initiating all this stuff) > anyway, and how the bleep did I manage to get on their list? > > Should I just assume that they have their robots out, 24/7, searching > for anything and everything that will send NTP response packets? I > guess that's it, yes? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"