[168156] in North American Network Operators' Group
Re: OpenNTPProject.org
daemon@ATHENA.MIT.EDU (Bjoern A. Zeeb)
Mon Jan 13 16:33:50 2014
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
In-Reply-To: <CAAf7UomfGfm99w1hav67dPcaYp8Ote4ex-ncdbHKTb__yO6FPQ@mail.gmail.com>
Date: Mon, 13 Jan 2014 21:33:14 +0000
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 13 Jan 2014, at 21:13 , Derek Andrew <Derek.Andrew@usask.ca> wrote:
> nmap -sU -pU:123 -Pn -n --script=3Dntp-monlist serverIP
Make that =93all server IPs=94 if on different subnets, address =
families, ...
> On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch <jared@puck.nether.net> =
wrote:
>=20
>> 4) Please prevent packet spoofing where possible on your network. =
This
>> will limit the impact of spoofed NTP or DNS (amongst others) packets =
from
>> impacting the broader community.
BCP38! I am always surprised when people need crypto if they fail the =
simple things.
>> 5) Some vendors don=92t have an easy way to alter the ntp =
configuration, or
>> have not or won=92t be updating NTP, you may need to use ACLs, =
firewall
>> filters, or other methods to block this traffic. I=92ve heard of =
many
>> routers being used in attacks impacting the CPU usage.
>>=20
>> Take a moment and see if your devices respond to the following
>> query/queries:
>>=20
>> ntpdc -n -c monlist 10.0.0.1
>> ntpdc -n -c loopinfo 10.0.0.1
>> ntpdc -n -c iostats 10.0.0.1
And no matter if you use the above nmap or these instructions to check, =
also check your IPv6 addresses!
You need 'restrict -6 default ignore' lines or similar as well, not just =
a restrict default ignore.=20
=97=20
Bjoern A. Zeeb ????????? ??? ??????? ??????:
'??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.???
