Date: Tue, 18 Feb 2014 19:03:26 -0800 From: Waitman Gobble <gobble.wa@gmail.com> To: Polytropon <freebsd@edvax.de> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <CAFuo_fzbNnvSQsABKwWS7%2B45B_kZKRHJPd8KXr8ESFFBbkBuuw@mail.gmail.com> In-Reply-To: <20140219014725.fec40b4d.freebsd@edvax.de> References: <2505.1392764000@server1.tristatelogic.com> <5303FCBE.3060106@FreeBSD.org> <20140219014725.fec40b4d.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 18, 2014 at 4:47 PM, Polytropon <freebsd@edvax.de> wrote: > On Wed, 19 Feb 2014 00:37:18 +0000, Matthew Seaman wrote: > > On 18/02/2014 22:53, Ronald F. Guilmette wrote: > > > So, um, I've had to put in a new stopgap ipfw rule, just to stop these > > > bloody &^%$#@ NTP reply packets from leaving my server, but what is > > > that Right Way to solve this problem? I'm guessing that there's > > > something I need to add to my /etc/ntp.conf file in order to tell > > > my local ntpd to simply not accept incoming _query_ packets unlees > > > they are coming from my own LAN, yes? But obviously, I still need it > > > to accept incoming ntp _reply_ packets or else my machine will never > > > know the correct time. > > > > > > Sorry. The answer I'm looking for is undoubtedly listed in an FAQ > > > someplace, but I am very much on edge right at the moment... because > > > I was basiaclly being DDoS'd by all of this stupid NTP traffic... and > > > thus I'm seeking a quick answer. > > > > Yep. This is the latest scumbag trick: sending spoofed packets to ntpd > > and using it as an amplifier to do a DDoS against some victim. > > For those interested in learning more about how this attack > is being used by scumbags, here are a two links to read: > > > http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack > > > http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/ > > In this case, CloudFlare has been declared the victim. > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > Hi, The ntpd in src is Ver. 4.2.4p8, it "seems" to ignore some command line options and config file options. for example "-I" .. browsing through the code it looks like this was not completely implemented, there's ground work there though (please correct me if i'm wrong). for example: using ntpd from src: Flg Arg Option-Name Description -4 no ipv4 Force IPv4 DNS name resolution -6 no ipv6 Force IPv6 DNS name resolution - an alternate for ipv4 > ntpd -4 > sockstat | grep ntpd root ntpd 55617 3 dgram -> /var/run/logpriv root ntpd 55617 20 udp4 *:123 *:* root ntpd 55617 21 udp6 *:123 *:* root ntpd 55617 22 udp6 ::1:123 *:* root ntpd 55617 23 udp6 fe80:2::1:123 *:* root ntpd 55617 24 udp4 127.0.0.1:123 *:* root ntpd 55617 25 udp4 192.168.0.153:123 *:* hmmm, it looks like it ignores that flag? if you go fetch a more modern version, it seems to be working > ./ntpd --version ntpd 4.2.7p422@1.2483-o Wed Feb 19 02:43:44 UTC 2014 (5) > ./ntpd -4 > sockstat | grep ntpd root ntpd 55631 3 dgram -> /var/run/logpriv root ntpd 55631 20 udp4 127.0.0.1:123 *:* root ntpd 55631 21 udp4 192.168.0.153:123 *:* root ntpd 55631 23 stream -> ?? root ntpd 55631 24 stream -> ?? however i cannot seem to get --interface or -I to function? > ./ntpd -I lo -4 > sockstat | grep ntpd root ntpd 55996 3 dgram -> /var/run/logpriv root ntpd 55996 20 udp4 *:123 *:* root ntpd 55996 21 udp4 127.0.0.1:123 *:* root ntpd 55996 23 stream -> ?? root ntpd 55996 24 stream -> ?? > ./ntpd -I 127.0.0.1 -4 > sockstat | grep ntpd root ntpd 56032 3 dgram -> /var/run/logpriv root ntpd 56032 20 udp4 *:123 *:* root ntpd 56032 21 udp4 127.0.0.1:123 *:* root ntpd 56032 23 stream -> ?? root ntpd 56032 24 stream -> ?? Hey, one quick hack i found is to kill the 'wildcard' address, in ntpd/ntp_io.c /* * create pseudo-interface with wildcard IPv4 address */ v4wild = ipv4_works; v4wild = NULL; /* kill the wildcard */ then rebuild. if we omit the -I interface it listens to every freakin' thing (well -4 works) > ./ntpd -4 > sockstat | grep ntpd root ntpd 55672 3 dgram -> /var/run/logpriv root ntpd 55672 20 udp4 127.0.0.1:123 *:* root ntpd 55672 21 udp4 192.168.0.153:123 *:* root ntpd 55672 23 stream -> ?? root ntpd 55672 24 stream -> ?? but with -I lo now it's just listening on lo. > ./ntpd -I lo -4 [1161] > sockstat | grep ntpd root ntpd 55666 3 dgram -> /var/run/logpriv root ntpd 55666 20 udp4 127.0.0.1:123 *:* root ntpd 55666 22 stream -> ?? root ntpd 55666 23 stream -> ?? now it's kind-of only listening on ipv4 loooopback i'm using FreeBSD akira.waitman.net 11.0-CURRENT FreeBSD 11.0-CURRENT #1 r261643: Sat Feb 8 22:11:05 PST 2014 root@akira.waitman.net:/usr/obj/usr/src/sys/AKIRA amd64 BUT: a) the firewall approach is probably smarter b) maybe a sealed ntpd isn't necessary anyway, why bother with a daemon? other solutions avail. like ntpdate? what do you think? -- Waitman Gobble San Jose California USA 510-830-7975
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFuo_fzbNnvSQsABKwWS7%2B45B_kZKRHJPd8KXr8ESFFBbkBuuw>