Securing NTP

Follow

Following on from DNS Amplification DDOS attacks, more recently NTP services are being utilised for Amplification DDOS attacks to reflect traffic against other networks.

There are two major issues, which is "Monlist", and "Readvar".

Below are some basic steps, to reduce the effectiveness of these kind of attacks, by locking down the default restrictions within the configuration.

You can read up further on this at the below URL's.

https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Version

https://www.shadowserver.org/wiki/pmwiki.php/Services/NTP-Monitor

Within ntpd on *nix

To Resolve most issues, you would need to add the below to /etc/ntp.conf. (This should resolve both monlist, and readvar issues).

restrict default ignore
disable monitor
disable bclient
 

Then restart the ntpd service (or ntp on some OS')

To test that this has worked, you can use the following queries from a remote Linux Machine

Readvar:

ntpq -c rv [ip]

Monlist:

ntpdc -n -c monlist [ip]

And expect a "connect timeout" error, if your work has been successful to secure the NTP service.

Have more questions? Submit a request

Comments

Powered by Zendesk