[186745] in North American Network Operators' Group
Re: Fwd: port 123 reflection attacks
daemon@ATHENA.MIT.EDU (Randy Bush)
Wed Dec 30 21:16:19 2015
X-Original-To: nanog@nanog.org
Date: Thu, 31 Dec 2015 11:16:07 +0900
From: Randy Bush <randy@psg.com>
To: alvin nanog <nanogml@Mail.DDoS-Mitigator.net>
In-Reply-To: <20151230101139.GA1721@Mail.DDoS-Mitigator.net>
Cc: cncert@cert.org.cn, NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> - be sure ntpd is properly configured
to be explicit, test it
% ntpdc -n -c monlist psg.com
psg.com: timed out, nothing received
***Request timed out
this is the desired result. any real response means the host is open
to be a reflector
fwiw, i got caught last week. a debien vm had been brought up using
dhcp, and the /var/lib/ntp/ntp.conf.dhcp was still there after the host
was reconfigured to static. took me a while to find it. embarrassing.
my ntp.yml playbook now has as it's first task
- name: remove dhcpd artifact
file: path=/var/lib/ntp/ntp.conf.dhcp state=absent
randy
