Hello David
On 01.03.14 18:51, David Thistlethwaite wrote:
Hello folks, I need some assistance
About every 2-3 months I get between 2-5 clients that are pulling MB/s
from my ntp server and it completely saturates my pipe.
Any ideas how to prevent/resolve this ?
As discussed many times on this mailing list over the last few
weeks, this is probably from a reflection and / or a amplified
reflection attack with spoofed source IP addresses to hurt a
third system.
You need to fix your restrict default lines in your ntpd
configuration, use this options:
restrict -4 default limited kod notrap nomodify nopeer noquery
restrict -6 default limited kod notrap nomodify nopeer noquery
restrict default limited kod notrap nomodify nopeer noquery
The 'limited' is needed to only reply to a certain amount of
requests (and not to all) from the same IP address. And the
'noquery' is need to disable remote requests for larger replies
(e.g. the monlist or other status information) but does not
disable normal clients requesting the time.
To test if your server does reply to the 'monlist' query, you
should test from a remote system with:
ntpdc -c monlist <your-ntp-server>
Depending on how my systems synchronize time with your server,
this list could be rather large (up to or more then 600 lines).
bye
Fabian
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
