[168154] in North American Network Operators' Group
OpenNTPProject.org
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Jan 13 16:07:51 2014
From: Jared Mauch <jared@puck.nether.net>
Date: Mon, 13 Jan 2014 16:07:28 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Greetings,
With the recent increase in NTP attacks, I wanted to advise the =
community of a few things:
There are about 1.2-1.5 million of these servers out there.
1) You can search your IP space to find NTP servers that respond to the =
=91MONLIST=92 queries.
2) I=92ve found some vendors have old embedded versions of NTP including =
ILO/Service Processors and other parts of the =93internet of things=94.
3) You want to upgrade NTP, or adjust your ntp.conf to include =91limited=92=
or =91restrict=92 lines or both. (I defer to someone else to be an =
expert in this area, but am willing to learn :) )
4) Please prevent packet spoofing where possible on your network. This =
will limit the impact of spoofed NTP or DNS (amongst others) packets =
from impacting the broader community.
5) Some vendors don=92t have an easy way to alter the ntp configuration, =
or have not or won=92t be updating NTP, you may need to use ACLs, =
firewall filters, or other methods to block this traffic. I=92ve heard =
of many routers being used in attacks impacting the CPU usage.
Take a moment and see if your devices respond to the following =
query/queries:
ntpdc -n -c monlist 10.0.0.1
ntpdc -n -c loopinfo 10.0.0.1
ntpdc -n -c iostats 10.0.0.1
6) If you do VMs/Servers and have a template, please make sure that they =
do not respond to NTP requests.
Thanks!
- Jared=
