Date: Wed, 19 Feb 2014 01:47:25 +0100 From: Polytropon <freebsd@edvax.de> To: freebsd-questions@FreeBSD.org Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <20140219014725.fec40b4d.freebsd@edvax.de> In-Reply-To: <5303FCBE.3060106@FreeBSD.org> References: <2505.1392764000@server1.tristatelogic.com> <5303FCBE.3060106@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 19 Feb 2014 00:37:18 +0000, Matthew Seaman wrote: > On 18/02/2014 22:53, Ronald F. Guilmette wrote: > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > > bloody &^%$#@ NTP reply packets from leaving my server, but what is > > that Right Way to solve this problem? I'm guessing that there's > > something I need to add to my /etc/ntp.conf file in order to tell > > my local ntpd to simply not accept incoming _query_ packets unlees > > they are coming from my own LAN, yes? But obviously, I still need it > > to accept incoming ntp _reply_ packets or else my machine will never > > know the correct time. > > > > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > > someplace, but I am very much on edge right at the moment... because > > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > > thus I'm seeking a quick answer. > > Yep. This is the latest scumbag trick: sending spoofed packets to ntpd > and using it as an amplifier to do a DDoS against some victim. For those interested in learning more about how this attack is being used by scumbags, here are a two links to read: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/ In this case, CloudFlare has been declared the victim. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140219014725.fec40b4d.freebsd>