From owner-freebsd-questions@FreeBSD.ORG Wed Feb 19 00:38:12 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 42C99CC for ; Wed, 19 Feb 2014 00:38:12 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D79A718E0 for ; Wed, 19 Feb 2014 00:38:11 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.8/8.14.8) with ESMTP id s1J0c57d014903 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Wed, 19 Feb 2014 00:38:05 GMT (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.8.3 smtp.infracaninophile.co.uk s1J0c57d014903 Authentication-Results: smtp.infracaninophile.co.uk/s1J0c57d014903; dkim=none reason="no signature"; dkim-adsp=none Message-ID: <5303FCBE.3060106@FreeBSD.org> Date: Wed, 19 Feb 2014 00:37:18 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? References: <2505.1392764000@server1.tristatelogic.com> In-Reply-To: <2505.1392764000@server1.tristatelogic.com> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="o0kCxM9oHahH6if0GdO0e9rVD9juObuGN" X-Virus-Scanned: clamav-milter 0.98.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 00:38:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --o0kCxM9oHahH6if0GdO0e9rVD9juObuGN Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 18/02/2014 22:53, Ronald F. Guilmette wrote: > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > bloody &^%$#@ NTP reply packets from leaving my server, but what is > that Right Way to solve this problem? I'm guessing that there's > something I need to add to my /etc/ntp.conf file in order to tell > my local ntpd to simply not accept incoming _query_ packets unlees > they are coming from my own LAN, yes? But obviously, I still need it > to accept incoming ntp _reply_ packets or else my machine will never > know the correct time. >=20 > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > someplace, but I am very much on edge right at the moment... because > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > thus I'm seeking a quick answer. Yep. This is the latest scumbag trick: sending spoofed packets to ntpd and using it as an amplifier to do a DDoS against some victim. What you need to do is described here: http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc but in summary your actions should be one or more of: * upgrade to a version of ntpd that does not respond to 'monlist' queries. Any -RELEASE or -STABLE version post the publication of that advisory should do the trick, or you can use ntpd-devel from ports. * Firewall off your ntpd instances from accessibility from the internet. * Modify your /etc/ntp.conf to disallow most foreign connectivity to your ntpd instances. The config changes required for that last are something along the following lines, to be added to /etc/ntp.conf: restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 If you can swing it, restrict -4 default ignore restrict -6 default ignore would be even better, but you will also need to add lines permitting appropriate traffic to and from timeservers on the network by the servers' IP number. This does mean you can't use the ntp.org time server pools without significant faffing around, as the ntp.org timeservers are pooled ang you tend to get a different IP Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --o0kCxM9oHahH6if0GdO0e9rVD9juObuGN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJ8BAEBCgBmBQJTA/zsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATIHsP/R36f5xlyQJLlxtFODWw9lnM YYLb76euLayDUVKfj7zacZkg6q31RaJCJ9XNBPJcZCVmpLiGjUJpOg1aBNh+dpyX PQYo9WVs22cv3IlTAVwAPHNUeeP9XBJwPoVJzyXSJbbOfRg4RBZBuPlKPgBDgo4H jUD8lhY5rQ6XHcjFn70EtGdQxQphzE/APgwTM1jOenefKyol13jlGM+LlaIhNsjI ShWz5j3RpRCacOTDQRJwgZbngkgW0olokeAzXp3krmBZKqALR43IozO59G43ycjC 6S6d+AjtjpopO3wWB4c1m8i+l6R4+GixNKe/9IDsBYV+MHXsLQs2vTyVMp5t0/Px M3RLiEU9ktGTvT4VvNXzbYQEd7tVUa+DJDhG3Vjv07cFT2Yl4Ufes0GEMq2eJD1B dZ9XX2ucjt/Wyp7vUfg0fmH7tBmUA8K0M+uXxGULdIYaTkghtLeeh08zQokYkGjF sORPhzoiL5VUCFG/fc4CTXlzXkCeYcmzIMkjKorjrACkfu3bckdLmWwGBl+AVD/P S9xUzl+OR325H1JBuEXKejXs3lh+g6OzXKFH+PVfL9ko7gj23FcWhVg72rebK+dy PNUZPGlCi0hQXfHgM2zpBeuWL3xNlbWkRfaHZUJN6eYeLng9/5IFxeLOUZY7BFTA oHsu33x/t67w/KRhm3xe =kqdZ -----END PGP SIGNATURE----- --o0kCxM9oHahH6if0GdO0e9rVD9juObuGN--