[ntp:questions] Public ntp-server and reflection-attacks

Michael Sinatra michael at rancid.berkeley.edu
Thu Nov 21 17:12:00 UTC 2013


On 11/21/2013 08:42, Rudolf E. Steiner wrote:
> Hi.
> 
> We have strong reflection-attacks on our public timeserver ("ntpd 4.2.6p5").
> 
> The strange behavior is the server received one packet and sends 100 packets
> to the target.

Yes, this is becoming increasingly common, and everyone operating NTP
servers (not just those that are intended to be public) will need to
take steps to ensure that they are not open to this sort of attack.  The
attacker is asking for something (usually the equivalent of 'ntpdc -c
monlist') that causes your server to respond with lots of data.

[snip]

> This means, the attacker sends _one_ packet and gets _100_ packets to his
> target.
> 
> How can I disable this behavior of ntpd?

There are several ways, but having a basic 'restrict' statement in your
config like this will help mitigate this attack:

restrict default noquery nomodify notrap nopeer
restrict -6 default noquery nomodify notrap nopeer

I believe the key command is 'noquery' which means that the server can't
be queried for information (it does NOT affect the server's ability to
respond to time requests).  However, the other options will also protect
your public time server.  (I am also interested in how others are
locking down public NTP servers.)

michael



More information about the questions mailing list