Hello Rob and others
On 16.12.2013 23:01, Rob Janssen wrote:
Mouse wrote:
I find it interesting that the misbehaviour stopped almost immediately
upon my stopping NTP service on that address. (It would be difficult
for me to tell how promptly NTP traffic stopped.)
I think this can be well explained by the fact that the misbehaviour is not
from users of ntpd
but only from users of different crappy NTP implementations that usually in
fact are more
like SNTP and do things like issuing a DNS lookup for every time sync, have
very short
uptimes, and have no possibility for manual configuration. When you leave the
pool and
your DNS entry is gone, they very soon have no way to find you anymore.
Please keep in mind that with the nature of UDP also spoofed NTP
requests are used to hurt a third party (the source IP address
you see) through your (or any other Pool) NTP server. You can
never be sure if the IP address requesting really is the real
source of the request. To further investigate you would need to
ask your upstream provider and then he needs to ask his upstream
provider and so on, to find the real source of this requests.
To explain why this kind of requests stop after you remove your
server from the Pool, could be that the person / organization
which is abusing NTP, to hurt somebody else, is using the Pool as
source for IP addresses of open NTP servers to abuse for the
attack. If they ask a huge number of NTP server with a spoofed
source IP address, this could generate a large amount of traffic
toward the attacked third party and so fill up his internet
connection. The same thing is seen with DNS requests, as they are
also UDP. As I already mention on an other occasion in this list,
to get rid of this problem all ISPs should prevent their own
network from sending out packets with spoofed source IP address.
But this will probably be a dream. :-(
I am using kod and limited options equally for any source IP
address requesting NTP from my server. I can not care if this
requests are from too many clients behind NAT and those suffer
and do not get time (they should implement their own local NTP
servers), or if it is a spoofed source to hurt a third party. I
do this mainly for the second case, so that my servers do not
take part (or at least massively limit) in attacking a third
party. So I recommend every operator of an NTP server in the Pool
(or also if it is open to the whole Internet world) to implement
the following options (ntpd):
# should be fixed with ntp-4.2.5p178 (or later), eg. -4 / -6 not
# needed any more
# see -> https://support.ntp.org/bugs/show_bug.cgi?id=320
restrict -4 default limited kod notrap nomodify nopeer noquery
restrict -6 default limited kod notrap nomodify nopeer noquery
restrict default limited kod notrap nomodify nopeer noquery
I am not sure if other solutions like with iptables really help,
as it probably only adds some more overhead to your system, but
it can not keep the traffic from reaching your system / network
or stopping the attack in case of spoofed source IP address.
I left the pool on IPv4 more than 5 years ago, but I still see clients polling
my server even
though it has changed IP address. Apparently it has been hardwired in some
ntpd config
files at that time by getting my IP address from a pool.ntp.org lookup, getting
the reverse,
and writing that hostname in ntp.conf.
This is probably true, as I also have some other servers in my
ntp.conf, which I have "acquired" in this way. It is up to you if
to still provide NTP to the outside world or not. If you do not
want any more requests from third parties, then you could adjust
your ntp.conf to not serve them any more. Over time they will
adjust their ntp.conf and remove your server.
bye
Fabian
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
