Jure Sah <dustwo...@gmail.com> wrote: > > Hello, > > I am an administrator of a public NTP server joined to "pool.ntp.org". > Our server has recently been an unwilling party to a NTP UDP based > bounce attack and have received the report attached below. > > I would like to continue offering my server in the pool, but I would > also like to secure my server configuration to prevent such attacks in > the future. I am unsure as to what exactly to do, as some of what is > suggested below (for example, turning off UDP support on the time > server) would most likely result in problems for pool users, if not > invalidate my NTP server for use in the pool altogether. I would like > my server to still be as useful as possible for everybody. > > I am using ntpd version 4.2.6p3. I have searched trough the > www.pool.ntp.org website on the subject and could not find any general > recommendation for a secure setup, however I might not have been > looking in the right places. > > Could anyone please help? > > LP, > Jure > > - --------------- attack report: > Date: 2013/12/23 > > You are running a public, high-numbered-stratum NTP server that > participated a very large-scale attack against a customer of ours this > morning, generating UDP responses to spoofed requests with bogus > timestamps that claimed to be from the attack target.
The sender of this report does not really have a clue. However, you should investigate if your server is or has been running unsynchronized. If it is, it does not belong in the pool. If not, maybe it temporarily went unsynchronized due to the heavy network traffic because of the attack? Hopefully you keep enough logging and monitoring info to check this. Reflection attacks should not really be possible when you change the config as mentioned in the other posting. _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
