Date: Wed, 19 Feb 2014 00:37:18 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <5303FCBE.3060106@FreeBSD.org> In-Reply-To: <2505.1392764000@server1.tristatelogic.com> References: <2505.1392764000@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--o0kCxM9oHahH6if0GdO0e9rVD9juObuGN
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 18/02/2014 22:53, Ronald F. Guilmette wrote:
> So, um, I've had to put in a new stopgap ipfw rule, just to stop these
> bloody &^%$#@ NTP reply packets from leaving my server, but what is
> that Right Way to solve this problem? I'm guessing that there's
> something I need to add to my /etc/ntp.conf file in order to tell
> my local ntpd to simply not accept incoming _query_ packets unlees
> they are coming from my own LAN, yes? But obviously, I still need it
> to accept incoming ntp _reply_ packets or else my machine will never
> know the correct time.
>=20
> Sorry. The answer I'm looking for is undoubtedly listed in an FAQ
> someplace, but I am very much on edge right at the moment... because
> I was basiaclly being DDoS'd by all of this stupid NTP traffic... and
> thus I'm seeking a quick answer.
Yep. This is the latest scumbag trick: sending spoofed packets to ntpd
and using it as an amplifier to do a DDoS against some victim.
What you need to do is described here:
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc
but in summary your actions should be one or more of:
* upgrade to a version of ntpd that does not respond to 'monlist'
queries. Any -RELEASE or -STABLE version post the publication of
that advisory should do the trick, or you can use ntpd-devel from
ports.
* Firewall off your ntpd instances from accessibility from the
internet.
* Modify your /etc/ntp.conf to disallow most foreign connectivity to
your ntpd instances.
The config changes required for that last are something along the
following lines, to be added to /etc/ntp.conf:
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
If you can swing it,
restrict -4 default ignore
restrict -6 default ignore
would be even better, but you will also need to add lines permitting
appropriate traffic to and from timeservers on the network by the
servers' IP number. This does mean you can't use the ntp.org time
server pools without significant faffing around, as the ntp.org
timeservers are pooled ang you tend to get a different IP
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
--o0kCxM9oHahH6if0GdO0e9rVD9juObuGN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJ8BAEBCgBmBQJTA/zsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATIHsP/R36f5xlyQJLlxtFODWw9lnM
YYLb76euLayDUVKfj7zacZkg6q31RaJCJ9XNBPJcZCVmpLiGjUJpOg1aBNh+dpyX
PQYo9WVs22cv3IlTAVwAPHNUeeP9XBJwPoVJzyXSJbbOfRg4RBZBuPlKPgBDgo4H
jUD8lhY5rQ6XHcjFn70EtGdQxQphzE/APgwTM1jOenefKyol13jlGM+LlaIhNsjI
ShWz5j3RpRCacOTDQRJwgZbngkgW0olokeAzXp3krmBZKqALR43IozO59G43ycjC
6S6d+AjtjpopO3wWB4c1m8i+l6R4+GixNKe/9IDsBYV+MHXsLQs2vTyVMp5t0/Px
M3RLiEU9ktGTvT4VvNXzbYQEd7tVUa+DJDhG3Vjv07cFT2Yl4Ufes0GEMq2eJD1B
dZ9XX2ucjt/Wyp7vUfg0fmH7tBmUA8K0M+uXxGULdIYaTkghtLeeh08zQokYkGjF
sORPhzoiL5VUCFG/fc4CTXlzXkCeYcmzIMkjKorjrACkfu3bckdLmWwGBl+AVD/P
S9xUzl+OR325H1JBuEXKejXs3lh+g6OzXKFH+PVfL9ko7gj23FcWhVg72rebK+dy
PNUZPGlCi0hQXfHgM2zpBeuWL3xNlbWkRfaHZUJN6eYeLng9/5IFxeLOUZY7BFTA
oHsu33x/t67w/KRhm3xe
=kqdZ
-----END PGP SIGNATURE-----
--o0kCxM9oHahH6if0GdO0e9rVD9juObuGN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5303FCBE.3060106>