On Thu, Feb 13, 2014 at 6:33 PM, Jim Reid <[email protected]> wrote:
> What you've done is probably fine. Almost nobody outside your network should > be querying your NTP servers or answering queries from them. Blocking that > traffic is unlikely to break anything and it should significantly reduce your > exposure to DDoS attacks. > Isn't that the point of being in the pool? To answer queries from more than your network? (Or are you referring to administrative queries?) I am skeptical that blocking other ports other than 123 is solving the root of your problem. FWIW, my machine in the pool shows probably at least 50% of the queries (all seemingly legitimate) coming from ports other than 123. I would wager that the "inordinate amount" of requests you're seeing comes from the monlist DDoS vulnerability that's been discussed here. (Note that you might get some even if you're not vulnerable. Script kiddies aren't always the brightest bulbs out there.) I have one client still hitting me with monlist requests, even though I'm not vulnerable -- and it's using source port 123. (Well, I don't know how many clients it actually is -- but one source IP, surely spoofed.) The configuration changes discussed down-thread should ensure that you're not vulnerable and aren't inadvertently participating in a DDoS attack. Your outbound bandwidth usage should fall, but the queries attempting to exploit it will keep coming for a while. You can look at the 'limited' and 'kod' keywords, but keep in mind that they control how many requests you'll *respond* to, not how many you're sent. The clients sending you excessive requests are unlikely to also be the clients that are smart enough to back off when you stop responding. And blocking them at the firewall level is just changing who gets to drop the packets -- your firewall or ntpd. You can fiddle with your bandwidth preferences for pool traffic, though I'm not sure that abusers are using the pool versus just probing for IPs. -- Matt _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
