On 2014-06-18 13:32, E-Mail Sent to this address will be added to the
BlackLists wrote:
<http://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse>
[email protected] wrote:
Is there a suggested way to rate-limit queries by broken clients?
Firewall rules?
{Depends how broken the remote client is,
sometimes this makes them hammer more,
if you can get you ISP to block them at the ISP's end,
at least it won't cost you bandwidth.
Use a unique subdomain for your ntp server,
so you can make it resolve to something else,
or not resolve if needed.
Are there any other techniques people have found to be helpful?
<https://manage.ntppool.org/manage/servers>
Set connection Speed
set it to something lower, 384K?
and wait _many_ weeks then redo your statistics.
restrict -4 default limited kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 default limited kod nomodify notrap nopeer noquery
restrict ::1
restrict 224.0.1.1 mask 255.255.255.255 nomodify
restrict aa.bb.cc.dd mask ww.xx.yy.zz nomodify # your LAN
restrict source nomodify
FYI thought this could be handy info, but untested as I do not have a static IP:
# Linux kernel 2.3.15+ CONFIG_NETFILTER `Y'
# iptables/ip6tables
# http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
# NTP monlist LOG rule 1/minute
-A PREROUTING -p udp -m udp --ports ntp \
-m u32 --u32 022&0x3C@8&0xFF=42 -m limit --limit 1/m --limit-burst 1 \
-j LOG --log-prefix "BLOCKED: NTPMONLIST"
# NTP monlist DROP rule
-A PREROUTING -p udp -m udp --ports ntp -m u32 --u32 022&0x3C@8&0xFF=42 -j DROP
# NTP input drop more than 8p/16s => 10p/20s
# modprobe.conf - options xt_recent ip_list_tot=10000 ip_pkt_list_tot=12
# insmod xt_recent
# modinfo xt_recent
# or
# echo 10000 > /sys/module/xt_recent/parameters/ip_list_tot
# echo 12 > /sys/module/xt_recent/parameters/ip_pkt_list_tot
-A INPUT -p udp -m udp --dport ntp -m recent --name ntprate --rsource --set
# NTP drop more than 8p/16s => 10p/20s LOG rule 1/minute
-p udp -m udp --dport ntp \
-m recent --name ntprate --rsource --update --seconds 20 --hitcount 10 \
-m limit --limit 1/m --limit-burst 1 \
-j LOG --log-prefix "DROPPED: NTPRATE"
# NTP drop more than 8p/16s => 10p/20s DROP rule
-A INPUT -p udp -m udp --dport ntp \
-m recent --name ntprate --rsource --check --seconds 20 --hitcount 10 \
-j DROP
# check /proc/net/xt_recent/ntprate
# NTP accept NEW,ESTABLISHED
-A INPUT -p udp -m udp --dport ntp -m state --state NEW -j ACCEPT
-A INPUT -p udp --sport ntp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp --dport ntp -m state --state NEW,ESTABLISHED -j ACCEPT
# HeartBleed LOG rule 1/minute
-A INPUT -p tcp --dport https \
-m u32 --u32 "52=0x18030000:0x1803FFFF" -m limit --limit 1/m \
-j LOG --log-prefix "BLOCKED: HEARTBEAT"
# HeartBleed DROP rule
-A INPUT -p tcp --dport https -m u32 --u32 "52=0x18030000:0x1803FFFF" -j DROP
# HeartBleed Wireshark rules
#tshark -i interface port https -R 'frame[68:1] == 18'
#tshark -i interface port https -R 'ssl.record.content_type == 24'
--
Take care. Thanks, Brian Inglis
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
