[169142] in North American Network Operators' Group
Re: OpenNTPProject.org
daemon@ATHENA.MIT.EDU (Pete Ashdown)
Sun Feb 16 13:29:49 2014
Date: Sun, 16 Feb 2014 11:29:17 -0700
From: Pete Ashdown <pashdown@xmission.com>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <CAAf7UomfGfm99w1hav67dPcaYp8Ote4ex-ncdbHKTb__yO6FPQ@mail.gmail.com>
X-SA-Exim-Mail-From: pashdown@xmission.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Just in case you run a legitimate open NTP server, this iptable stanza
helps immensely:
## rate limit ntp
$IPTABLES -N NTP
$IPTABLES -N BLACKHOLE
$IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
$IPTABLES -A BLACKHOLE -j DROP
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name
ntpv4 --rsource -j BLACKHOLE
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name
ntpv4blackhole --rsource -j DROP
$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
I've found that blocking TCP destination NTP to client servers/networks
blocks legitimate NTP synchronization for their clients. Although I
wish they'd all just use my on-network NTP server, I can't assume they
will. Does anyone have a list or source of pool and vendor
(Apple/Microsoft/etc) servers so I can permit based on source before
blocking based on destination port?
