From owner-freebsd-questions@FreeBSD.ORG Wed Feb 19 00:47:50 2014 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C01D33B4 for ; Wed, 19 Feb 2014 00:47:50 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7EEC7199C for ; Wed, 19 Feb 2014 00:47:50 +0000 (UTC) Received: from r56.edvax.de (port-92-195-0-90.dynamic.qsc.de [92.195.0.90]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 552483CC44 for ; Wed, 19 Feb 2014 01:47:48 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id s1J0lPJq003708 for ; Wed, 19 Feb 2014 01:47:25 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Wed, 19 Feb 2014 01:47:25 +0100 From: Polytropon To: freebsd-questions@FreeBSD.org Subject: Re: Semi-urgent: Disable NTP replies? Message-Id: <20140219014725.fec40b4d.freebsd@edvax.de> In-Reply-To: <5303FCBE.3060106@FreeBSD.org> References: <2505.1392764000@server1.tristatelogic.com> <5303FCBE.3060106@FreeBSD.org> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Feb 2014 00:47:50 -0000 On Wed, 19 Feb 2014 00:37:18 +0000, Matthew Seaman wrote: > On 18/02/2014 22:53, Ronald F. Guilmette wrote: > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > > bloody &^%$#@ NTP reply packets from leaving my server, but what is > > that Right Way to solve this problem? I'm guessing that there's > > something I need to add to my /etc/ntp.conf file in order to tell > > my local ntpd to simply not accept incoming _query_ packets unlees > > they are coming from my own LAN, yes? But obviously, I still need it > > to accept incoming ntp _reply_ packets or else my machine will never > > know the correct time. > > > > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > > someplace, but I am very much on edge right at the moment... because > > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > > thus I'm seeking a quick answer. > > Yep. This is the latest scumbag trick: sending spoofed packets to ntpd > and using it as an amplifier to do a DDoS against some victim. For those interested in learning more about how this attack is being used by scumbags, here are a two links to read: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/ In this case, CloudFlare has been declared the victim. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...