From owner-freebsd-questions@FreeBSD.ORG Wed Feb 19 03:03:29 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DB644D88 for ; Wed, 19 Feb 2014 03:03:28 +0000 (UTC) Received: from mail-bk0-x22f.google.com (mail-bk0-x22f.google.com [IPv6:2a00:1450:4008:c01::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 60D861D5C for ; Wed, 19 Feb 2014 03:03:28 +0000 (UTC) Received: by mail-bk0-f47.google.com with SMTP id d7so40488bkh.34 for ; Tue, 18 Feb 2014 19:03:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=poPh18jhCwWVSJ/e6PGErHo7WFe8QU0qPrq0jUUKNfc=; b=YuN8+sejM494plDNz9VPJHKB+ZjC7LrHT3rDuhl+NkDtOV9MG97+noJWpBZYaplZw9 iFX90+QWKhMXHU7bGmIQw0wtJIus/nDo4pfTYYmz2LybsRUK3uw9I3BW0z56mRFtukV4 MCNbEW8mkYQcx+LYU/m3r0uW8KhHDK3u5uRBU57Mh2cd3AbVju06+taatphhN4RRdaMc uZg8D/MI6IILvVYBFx65mV0ByV79Nfp30Mdg4cUO67npsiTBKbXvI6ig/yYtKWbAD9wm VXRSCMeG7KLPHJaAhZ73HNgGYZ2rn9Yljo/uNSQ85zG4QdOj79vOWFKG+ghs1Vhbytwa W+fQ== MIME-Version: 1.0 X-Received: by 10.204.54.197 with SMTP id r5mr19457202bkg.27.1392779006465; Tue, 18 Feb 2014 19:03:26 -0800 (PST) Received: by 10.205.10.131 with HTTP; Tue, 18 Feb 2014 19:03:26 -0800 (PST) In-Reply-To: <20140219014725.fec40b4d.freebsd@edvax.de> References: <2505.1392764000@server1.tristatelogic.com> <5303FCBE.3060106@FreeBSD.org> <20140219014725.fec40b4d.freebsd@edvax.de> Date: Tue, 18 Feb 2014 19:03:26 -0800 Message-ID: Subject: Re: Semi-urgent: Disable NTP replies? From: Waitman Gobble To: Polytropon Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 03:03:29 -0000 On Tue, Feb 18, 2014 at 4:47 PM, Polytropon wrote: > On Wed, 19 Feb 2014 00:37:18 +0000, Matthew Seaman wrote: > > On 18/02/2014 22:53, Ronald F. Guilmette wrote: > > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > > > bloody &^%$#@ NTP reply packets from leaving my server, but what is > > > that Right Way to solve this problem? I'm guessing that there's > > > something I need to add to my /etc/ntp.conf file in order to tell > > > my local ntpd to simply not accept incoming _query_ packets unlees > > > they are coming from my own LAN, yes? But obviously, I still need it > > > to accept incoming ntp _reply_ packets or else my machine will never > > > know the correct time. > > > > > > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > > > someplace, but I am very much on edge right at the moment... because > > > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > > > thus I'm seeking a quick answer. > > > > Yep. This is the latest scumbag trick: sending spoofed packets to ntpd > > and using it as an amplifier to do a DDoS against some victim. > > For those interested in learning more about how this attack > is being used by scumbags, here are a two links to read: > > > http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack > > > http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/ > > In this case, CloudFlare has been declared the victim. > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > Hi, The ntpd in src is Ver. 4.2.4p8, it "seems" to ignore some command line options and config file options. for example "-I" .. browsing through the code it looks like this was not completely implemented, there's ground work there though (please correct me if i'm wrong). for example: using ntpd from src: Flg Arg Option-Name Description -4 no ipv4 Force IPv4 DNS name resolution -6 no ipv6 Force IPv6 DNS name resolution - an alternate for ipv4 > ntpd -4 > sockstat | grep ntpd root ntpd 55617 3 dgram -> /var/run/logpriv root ntpd 55617 20 udp4 *:123 *:* root ntpd 55617 21 udp6 *:123 *:* root ntpd 55617 22 udp6 ::1:123 *:* root ntpd 55617 23 udp6 fe80:2::1:123 *:* root ntpd 55617 24 udp4 127.0.0.1:123 *:* root ntpd 55617 25 udp4 192.168.0.153:123 *:* hmmm, it looks like it ignores that flag? if you go fetch a more modern version, it seems to be working > ./ntpd --version ntpd 4.2.7p422@1.2483-o Wed Feb 19 02:43:44 UTC 2014 (5) > ./ntpd -4 > sockstat | grep ntpd root ntpd 55631 3 dgram -> /var/run/logpriv root ntpd 55631 20 udp4 127.0.0.1:123 *:* root ntpd 55631 21 udp4 192.168.0.153:123 *:* root ntpd 55631 23 stream -> ?? root ntpd 55631 24 stream -> ?? however i cannot seem to get --interface or -I to function? > ./ntpd -I lo -4 > sockstat | grep ntpd root ntpd 55996 3 dgram -> /var/run/logpriv root ntpd 55996 20 udp4 *:123 *:* root ntpd 55996 21 udp4 127.0.0.1:123 *:* root ntpd 55996 23 stream -> ?? root ntpd 55996 24 stream -> ?? > ./ntpd -I 127.0.0.1 -4 > sockstat | grep ntpd root ntpd 56032 3 dgram -> /var/run/logpriv root ntpd 56032 20 udp4 *:123 *:* root ntpd 56032 21 udp4 127.0.0.1:123 *:* root ntpd 56032 23 stream -> ?? root ntpd 56032 24 stream -> ?? Hey, one quick hack i found is to kill the 'wildcard' address, in ntpd/ntp_io.c /* * create pseudo-interface with wildcard IPv4 address */ v4wild = ipv4_works; v4wild = NULL; /* kill the wildcard */ then rebuild. if we omit the -I interface it listens to every freakin' thing (well -4 works) > ./ntpd -4 > sockstat | grep ntpd root ntpd 55672 3 dgram -> /var/run/logpriv root ntpd 55672 20 udp4 127.0.0.1:123 *:* root ntpd 55672 21 udp4 192.168.0.153:123 *:* root ntpd 55672 23 stream -> ?? root ntpd 55672 24 stream -> ?? but with -I lo now it's just listening on lo. > ./ntpd -I lo -4 [1161] > sockstat | grep ntpd root ntpd 55666 3 dgram -> /var/run/logpriv root ntpd 55666 20 udp4 127.0.0.1:123 *:* root ntpd 55666 22 stream -> ?? root ntpd 55666 23 stream -> ?? now it's kind-of only listening on ipv4 loooopback i'm using FreeBSD akira.waitman.net 11.0-CURRENT FreeBSD 11.0-CURRENT #1 r261643: Sat Feb 8 22:11:05 PST 2014 root@akira.waitman.net:/usr/obj/usr/src/sys/AKIRA amd64 BUT: a) the firewall approach is probably smarter b) maybe a sealed ntpd isn't necessary anyway, why bother with a daemon? other solutions avail. like ntpdate? what do you think? -- Waitman Gobble San Jose California USA 510-830-7975