Background
Bad guys have begun using the NTP monlist query to perform denial-of-service (DoS) amplification attacks. This page describes how to configure your ntpd to disable queries, to prevent it from being used in these attacks. Although current attacks are using monlist, it is possible future attacks could use some other query type.
Cyber security requires all ntpd at the Lab to disable queries or limit them to particular subnets or hosts. Hosts not restricting ntpd may be blocked.
Disable Queries (recommended)
Modify your ntp.conf file, which is usually located in /etc. Add the "noquery" statement to the configuration file. Below is an example of a minimal configuration file with the noquery option set. Next restart the ntp deamon, typically by "service ntpd restart".
restrict default nopeer nomodify notrap noquery restrict 127.0.0.1
If you need additional help configuring or restarting ntpd for you operating system, try Google. If that fails, we can help you at security@lbl.gov.
Verification
You can verify queries are disallowed by attempting peers, monlist, and reslist quereis from a remote computer and making sure no results are received. For example, below is a properly configured ntpd, notice it will not return any results when the ntpdc command is issued.
Properly Configured
ntpdc -c monlist <yourhost.lbl.gov> yourhost.lbl.gov: timed out, nothing received ntpdc -c peers <yourhost.lbl.gov> yourhost.lbl.gov: timed out, nothing received ntpdc -c reslist <yourhost.lbl.gov> yourhost.lbl.gov: timed out, nothing received
Incorrectly Configured
ntpdc -c monlist <yourhost.lbl.gov> remote address port local address count m ver code avgint lstint =========================================================================== <host> 123 <IP> 581 4 4 0 887 962 <host> 123 <IP> 10786 4 3 0 355 73 ntpdc -c peers <yourhost.lbl.gov> remote local st poll reach delay offset disp ======================================================================= <host> 5.0.0.0 16 64 0 0.00000 0.000000 16.0000 ntpdc -c reslist <yourhost.lbl.gov> address mask count flags ===================================================================== <host> 255.255.255.255 0 ntpport, interface, ignore
Other Alternatives
In some situations (we are not aware of many) it may be required to allow remote computers to perform queries. In this case, you should modify ntp.conf to use the restrict statement to limit queries from specified subnets or hosts. The more restrictive, the better. Allowing queries to all of Internet or all of LBLnet is not allowed.
Limit Queries
# Default policy prevents queries restrict default nopeer nomodify notrap noquery # Allow queries from a particular subnet restrict 131.243.x.0 mask 255.255.255.0 nopeer nomodify notrap nomodify notrap # Allow queries from a particular host restrict 131.243.x.x nopeer nomodify notrap noquery # Unrestrict localhost restrict 127.0.0.1
Limit IPv6 Queries
Are you ready for IPv6? The Lab has not yet widely deployed IPv6. As IPv6 is deployed, additional configuration is required to limit to specific IPv6 hosts and subnets, and example is below.
# Default policy prevents queries restrict -6 default nopeer nomodify notrap noquery # Allow queries from the a specific v6 subnet restrict -6 2620:83:8000:x:: mask ffff:ffff:ffff:ffff:: nopeer nomodify notrap # Allow queries from a specific v6 host restrict -6 2620:83:8000:x::64 nopeer nomodify notrap noquery
References
https://www.us-cert.gov/ncas/alerts/TA14-013A
http://www.cvedetails.com/cve/CVE-2013-5211/
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sites-abused-webs-time-synch-protocol/
http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks
https://labs.ripe.net/Members/mirjam/ntp-reflections
http://www.ren-isac.net/alerts/REN-ISAC_Alert_NTP_Amp_DDoS_CIO_201403.html
http://www.ren-isac.net/alerts/REN-ISAC_Alert_NTP_Amp_DDoS_TECH_201403.html
