I see some attributes in the "UNIX ntpd" example there which are missing. I would suggest people follow the defaults provided by some of the OSS distros (ex. FreeBSD 9):
http://svnweb.freebsd.org/base/stable/9/etc/ntp.conf?revision=259974&view=markup Specifically these lines for starters: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 The last 3 lines are effectively "allow" statements. You'll need to modify your ntp.conf accordingly; e.g. if the system in question is used as an NTP server for other machines on 192.168.1.0/24, you'd need something like: restrict 192.168.1.0 mask 255.255.255.0 But I recommend folks read (not skim -- it actually reads quite easily, just the formatting isn't easily skimmable) the following page, as it goes over the difference between "restrict default {bunch of modifiers}" vs. "restrict default ignore": http://support.ntp.org/bin/view/Support/AccessRestrictions It's remarkable how neglected NTP is as a service. :/ -- | Jeremy Chadwick [email protected] | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB | On Wed, Feb 12, 2014 at 11:37:00AM -0700, John wrote: > On 02/12/2014 11:33 AM, Bryan Inks wrote: > > > >Good info, I'll definitely be looking into this. > > > >But, I'm not being directly attacked. Internap is one of my upstreams, and > >they are the one that reported that they were being attacked when we > >called to let them know about the problem. > > > >*From:*Bill Wichers [mailto:[email protected]] > >*Sent:* Wednesday, February 12, 2014 10:27 AM > >*To:* Jared Mauch; Bryan Inks > >*Cc:* [email protected] > >*Subject:* RE: [outages] Internap Being DDoS'd > > > >To second Jared on this one, we've seen a HUGE increase in NTP-based > >attacks over the past several weeks with our colo customers. It's very > >efficient too -- even a pretty low end machine can saturate a 100M link. > >It reminds me of SQL slammer... > > > >If you haven't yet checked that you're safe from this you should. See: > > > >https://www.us-cert.gov/ncas/alerts/TA14-013A > > > >and > > > >https://www.us-cert.gov/ncas/alerts/TA14-017A > > > >for more info... > > > > And some info on how to mitigate it so you are not a reflector. > > http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html > > --John > > > -Bill > > > >*From:*Outages [mailto:[email protected]] *On Behalf Of *Jared > >Mauch > >*Sent:* Wednesday, February 12, 2014 1:21 PM > >*To:* Bryan Inks > >*Cc:* [email protected] <mailto:[email protected]> > >*Subject:* Re: [outages] Internap Being DDoS'd > > > >Close your NTP amplifiers and prevent the spoofing.. Will solve this one. > > > >Openntpproject.org <http://Openntpproject.org> can help you. > > > >Jared Mauch > > > > > >On Feb 12, 2014, at 12:45 PM, "Bryan Inks" <[email protected] > ><mailto:[email protected]>> wrote: > > > > Just got confirmation from Internap NOC that they are being > > attacked again. > > > > Causing quite a bit of chaos for my network in SoCal. > > > > I'm having to route over to Level3 to minimize the issue. > > > > _______________________________________________ > > Outages mailing list > > [email protected] <mailto:[email protected]> > > https://puck.nether.net/mailman/listinfo/outages > > > > > > > >_______________________________________________ > >Outages mailing list > >[email protected] > >https://puck.nether.net/mailman/listinfo/outages > > _______________________________________________ > Outages mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/outages _______________________________________________ Outages mailing list [email protected] https://puck.nether.net/mailman/listinfo/outages
