On Mon, Dec 12, 2011 at 10:01, Dave Hart <[email protected]> wrote: > On Mon, Dec 12, 2011 at 03:04, John Kristoff <[email protected]> wrote: > > On Sun, 11 Dec 2011 16:00:21 -0800 > > Ask Bjørn Hansen <[email protected]> wrote: > > > >> There needs to be a rule for at least allowing 'query' to everyone. > > > > We can add a note that says remove the 'noquery' option for a public > > server operator, but I'm sure there are some other best practices that > > we might want to specify a separate config for those folks. If you have > > sample configs, please send them along. > > With ntpd 4.2.6 (even the latest patches) and earlier, 'noquery' is > the only built-in mitigation for the monlist amplification attack. > You can craft a firewall rule to block only monlist requests, or all > mode 7 requests while allowing ntpq's mode 6, of course. > > I do value being able to query pool members and other public NTP > servers, and I encourage upgrading to 4.2.7p26 or later (which never > respond to monlist queries) or using a packet filter to continue to > allow ntpq billboard queries while dropping monlist queries. > > Any "secure template" configuration likely should have noquery in > default restrictions, given nearly all ntpd in the wild is vulnerable > by default to monlist amplification otherwise, sad to say. > > Cheers, > Dave Hart > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool >
We are also facing such a surge in NTP traffic to one of our servers yesterday exactly from the IP / Port mentioned here, and we mitigated by a firewall rule at our BW manager (Mikrotik), which restricts any communications to/from UDP 123 to any IP to a max of 64kbps. Mikrotik supports a queuing mechanism called PCQ (per connection queuing) which restricts each connection to the amount specified. I figured, any regular NTP client would not need more than 64kbps of speed to get updates. The attack is still on. The RX is still around 7 Mpbs, but the upload is restricted to 64kbps, as the rule mentioned above is intended to. Is this 64kbps enough for NTP service to work properly? Is there a Linux Netfilter / IPTables equivalent of PCQ? Regards HASSAN
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
