Date: Tue, 18 Feb 2014 21:27:14 -0600 From: Adam Vande More <amvandemore@gmail.com> To: Polytropon <freebsd@edvax.de> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <CA%2BtpaK2S_qZ=hLi0iSNoF4kuCvi%2BJwdxcadotrk=3iJvU=hHUQ@mail.gmail.com> In-Reply-To: <20140219014725.fec40b4d.freebsd@edvax.de> References: <2505.1392764000@server1.tristatelogic.com> <5303FCBE.3060106@FreeBSD.org> <20140219014725.fec40b4d.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 18, 2014 at 6:47 PM, Polytropon <freebsd@edvax.de> wrote: > On Wed, 19 Feb 2014 00:37:18 +0000, Matthew Seaman wrote: > > On 18/02/2014 22:53, Ronald F. Guilmette wrote: > > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > > > bloody &^%$#@ NTP reply packets from leaving my server, but what is > > > that Right Way to solve this problem? I'm guessing that there's > > > something I need to add to my /etc/ntp.conf file in order to tell > > > my local ntpd to simply not accept incoming _query_ packets unlees > > > they are coming from my own LAN, yes? But obviously, I still need it > > > to accept incoming ntp _reply_ packets or else my machine will never > > > know the correct time. > > > > > > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > > > someplace, but I am very much on edge right at the moment... because > > > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > > > thus I'm seeking a quick answer. > > > > Yep. This is the latest scumbag trick: sending spoofed packets to ntpd > > and using it as an amplifier to do a DDoS against some victim. > > For those interested in learning more about how this attack > is being used by scumbags, here are a two links to read: > > > http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack > > > http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/ > > In this case, CloudFlare has been declared the victim. > Aside from the Adam Walsh hyperbole, this was a very vulnerable "feature" included in NTP to begin with and also one that lack apparent real world value. It's been removed from NTP sources for quite awhile, something like 4 years. As such I consider this to be a problem of whoever is distributing NTP. -- Adam
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BtpaK2S_qZ=hLi0iSNoF4kuCvi%2BJwdxcadotrk=3iJvU=hHUQ>