From owner-freebsd-questions@FreeBSD.ORG Wed Feb 19 03:27:15 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C631B59 for ; Wed, 19 Feb 2014 03:27:15 +0000 (UTC) Received: from mail-pb0-x234.google.com (mail-pb0-x234.google.com [IPv6:2607:f8b0:400e:c01::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7178510D5 for ; Wed, 19 Feb 2014 03:27:15 +0000 (UTC) Received: by mail-pb0-f52.google.com with SMTP id jt11so17719853pbb.11 for ; Tue, 18 Feb 2014 19:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=O/OaByBXPJXj9GTQINTspwGB13INoZVQpHN/TRsgW78=; b=DfAHj1BAOMpuRjsvnEup+i6PtltVTExpiN4rhnvQQfQxqffrAQqIjNwMceRx2T4vJJ +LhdLPxDVWe1yChHp2J+my/6if8QeP/BlfybomcqO3j5krr5fwQsYsZFZahCNO+FjVKl mZcyTMA7EdZzfbKt4c5WGjGFwZL0XUpwbACpygL7j8sojrWObqx/3PmEZxnrlOs0LlIB w5QvIka7db096laeJO+Q6d3Ghu9HCa+0rheuvT+9xnj7y2adRKP0au8nRk0C32h7AQN4 +uVvY+8kuSEJyVnIcF9gT+S6bKVkb8l2IWB7mNGmi1iDSp5XynU2M+BGxXgj0SysMGng nCag== MIME-Version: 1.0 X-Received: by 10.68.163.197 with SMTP id yk5mr37156370pbb.57.1392780435042; Tue, 18 Feb 2014 19:27:15 -0800 (PST) Received: by 10.70.55.7 with HTTP; Tue, 18 Feb 2014 19:27:14 -0800 (PST) In-Reply-To: <20140219014725.fec40b4d.freebsd@edvax.de> References: <2505.1392764000@server1.tristatelogic.com> <5303FCBE.3060106@FreeBSD.org> <20140219014725.fec40b4d.freebsd@edvax.de> Date: Tue, 18 Feb 2014 21:27:14 -0600 Message-ID: Subject: Re: Semi-urgent: Disable NTP replies? From: Adam Vande More To: Polytropon Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 03:27:15 -0000 On Tue, Feb 18, 2014 at 6:47 PM, Polytropon wrote: > On Wed, 19 Feb 2014 00:37:18 +0000, Matthew Seaman wrote: > > On 18/02/2014 22:53, Ronald F. Guilmette wrote: > > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > > > bloody &^%$#@ NTP reply packets from leaving my server, but what is > > > that Right Way to solve this problem? I'm guessing that there's > > > something I need to add to my /etc/ntp.conf file in order to tell > > > my local ntpd to simply not accept incoming _query_ packets unlees > > > they are coming from my own LAN, yes? But obviously, I still need it > > > to accept incoming ntp _reply_ packets or else my machine will never > > > know the correct time. > > > > > > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > > > someplace, but I am very much on edge right at the moment... because > > > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > > > thus I'm seeking a quick answer. > > > > Yep. This is the latest scumbag trick: sending spoofed packets to ntpd > > and using it as an amplifier to do a DDoS against some victim. > > For those interested in learning more about how this attack > is being used by scumbags, here are a two links to read: > > > http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack > > > http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/ > > In this case, CloudFlare has been declared the victim. > Aside from the Adam Walsh hyperbole, this was a very vulnerable "feature" included in NTP to begin with and also one that lack apparent real world value. It's been removed from NTP sources for quite awhile, something like 4 years. As such I consider this to be a problem of whoever is distributing NTP. -- Adam