Date: Thu, 20 Feb 2014 12:46:56 -1000 From: Al Plant <noc@hdk5.net> To: Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <530685E0.601@hdk5.net> In-Reply-To: <5303FCBE.3060106@FreeBSD.org> References: <2505.1392764000@server1.tristatelogic.com> <5303FCBE.3060106@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote: > On 18/02/2014 22:53, Ronald F. Guilmette wrote: >> So, um, I've had to put in a new stopgap ipfw rule, just to stop these >> bloody &^%$#@ NTP reply packets from leaving my server, but what is >> that Right Way to solve this problem? I'm guessing that there's >> something I need to add to my /etc/ntp.conf file in order to tell >> my local ntpd to simply not accept incoming _query_ packets unlees >> they are coming from my own LAN, yes? But obviously, I still need it >> to accept incoming ntp _reply_ packets or else my machine will never >> know the correct time. >> >> Sorry. The answer I'm looking for is undoubtedly listed in an FAQ >> someplace, but I am very much on edge right at the moment... because >> I was basiaclly being DDoS'd by all of this stupid NTP traffic... and >> thus I'm seeking a quick answer. > > Yep. This is the latest scumbag trick: sending spoofed packets to ntpd > and using it as an amplifier to do a DDoS against some victim. > > What you need to do is described here: > > http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc > > but in summary your actions should be one or more of: > > * upgrade to a version of ntpd that does not respond to 'monlist' > queries. Any -RELEASE or -STABLE version post the publication of > that advisory should do the trick, or you can use ntpd-devel from > ports. > > * Firewall off your ntpd instances from accessibility from the > internet. > > * Modify your /etc/ntp.conf to disallow most foreign connectivity to > your ntpd instances. > > The config changes required for that last are something along the > following lines, to be added to /etc/ntp.conf: > > restrict -4 default nomodify nopeer noquery notrap > restrict -6 default nomodify nopeer noquery notrap > restrict 127.0.0.1 > restrict -6 ::1 > restrict 127.127.1.0 > > If you can swing it, > > restrict -4 default ignore > restrict -6 default ignore > > would be even better, but you will also need to add lines permitting > appropriate traffic to and from timeservers on the network by the > servers' IP number. This does mean you can't use the ntp.org time > server pools without significant faffing around, as the ntp.org > timeservers are pooled ang you tend to get a different IP > > Cheers, > > Matthew > ################## Thanks to Matthew, Poly and all who posted the fixes for the NTP attack issue. I had one old mail server that seemed to attract the attack and the fix worked. I switched from the pool 1. 2. 3. ntp servers to a military one, and a local university of Hawaii one. I have used them for a while already on several of my desk tops as a check boot time.Both are clean. Again Thanks, ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + + http://aloha50.net - Supporting - FreeBSD 7.2 - 8.0 - 9* + < email: noc@hdk5.net > "All that's really worth doing is what we do for others."- Lewis Carrol
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?530685E0.601>