Solved

How to Configure NTP authentication between Junos devices and FreeBSD NTP server

Posted on 2014-01-22
4
933 Views
Last Modified: 2016-02-11
So I am now subject of the latest NTP DDoS attack. I have been reading NTP.CONF(5) manpages and so far have managed a few lines in the ntp.conf file on my server such as:

restrict aaa.bbb.ccc.0 mask 255.255.252.0 nomodify notrap
restrict ddd.eee.fff.0 mask 255.255.254.0 nomodify notrap nopeer

where the top line signifies my network infrastructure and the bottom line are hosts that go through the network.

Questions:
1. Is there a way to have network infrastructure use a password and NOT the other devices?
2. Are these lines like an access list where I can add "restrict default ignore" at the bottom for everyone else to be rejected?
3. Do I need to add the ntp.pool servers to that list as well, and how if all I have is the "ntp.pool"?

Thanks
0
Comment
Question by:RDM1776
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:blu
Comment Utility
The rev numbers for ntp would be helpful if available.

I am not sure what you exactly mean by question 1. NTP can be configured to use a password, if that is what you are asking, but it is not useful for stopping DDOS attacks, it is only useful for authenticating clients for writing configuration to the server and for authenticating servers to prove that you are getting time from a server you trust.

Yes the restrict lines are access lists, but the ordering is not important. The internal ordering is done by how closely the match is. That is, the IP address of a packet is matched against all of the restrict lines and if any match, the one whose mask parameter has the most ones is used. The default is taken to match all IP addresses, but uses a mask with no ones, so there is always a match if default has been given, but it is always the last choice.

The answer to your last question is version dependent. If you have a version of NTP that supports it, you can use the "source" keyword for the restrict configuration line. You use it just like "default" and it matches the IP address of any configured server. If you do not have a version that supports it you will probably need to be a little less restrictive in you default restrict line. You will need a set of keywords that will prevent the DDOS attack but still allow NTP to get time. The only keyword you absolutely need to prevent the DDOS is "noquery".

One more thing, you should also add a line for localhost, allowing full access locally. If you use both IPv4 and IPv6, you will need two lines:

restrict 127.0.0.1
restrict ::1
0
 

Author Comment

by:RDM1776
Comment Utility
Dear blu,

The question to #1 is can I have ntp have a password for  device a.b.c.d/24 but not for another in the same network? But if you say that is has nothing to do with DDoS, then I'm not going to use it.

My example shows really IP networks in my domain, where:

restrict aaa.bbb.ccc.0 mask 255.255.252.0 nomodify notrap
- this is infrastructure H/W, like some servers, routers, switches, firewalls
restrict ddd.eee.fff.0 mask 255.255.254.0 nomodify notrap nopeer
- these are customer hosts

= are these sufficient, or what else would you add?

Qestion 2-- I get it.

Main point is Q3, my versions:

FreeBSD 8.2-RELEASE
and

when I query ntpq, the version is 4.2.4p5-a (1)

So I don't know if that is good or bad (I'm not savy on updating an application in FreeBSD)

How would i use the "noquery"? I really only want my known devices to be able to query, so how would I set 0.0.0.0/0 noquery except "my network devices"?

>>one more thing, I saw on another site here

There are several ways, but having a basic 'restrict' statement in your
config like this will help mitigate this attack:

restrict default noquery nomodify notrap nopeer
restrict -6 default noquery nomodify notrap nopeer

I believe the key command is 'noquery' which means that the server can't
be queried for information (it does NOT affect the server's ability to
respond to time requests).

Is that the case? It will not affect time requests, just queries for info? And if this is true, then it might be best to JUST have those two lines rather than the specific network devices/hosts?

does this do the same:

# disable monitor queries
disable monitor
#

Open in new window

0
 
LVL 22

Accepted Solution

by:
blu earned 500 total points
Comment Utility
Getting the restrict lines correct is tricky. I always recommend getting everything running without any restrict lines and then adding the lines, one keyword at a time, checking along the way that everything still works.

So, you are correct. Simply adding  lines that say

restrict default noquery
restrict -6 default noquery

will stop your server from being used in a DDOS attack.

The line

disable monitor

doesn't do quite the same thing. What it does is disables the server from gathering the data that the amplification attack uses. The attack simply requests a list of all the servers clients but spoofs the source IP address of the request so that the response goes to a different system, the victim. Since most servers have many clients, the list can be many packets long, hence the amplification. The "disable monitor" line tells the server to not bother even keeping a list, so when the request is made the response is only a single packet and no amplification has occurred. This is the least obtrusive method of preventing the attack since it keeps all of the other query commands available. On the other hand, you might want to be able to get the list yourself, so using the restrict lines above along with one that says "restrict 127.0.0.1" with no keywords might be better for you since it blocks all queries from other systems but allows queries from the same system to work normally.
0
 

Author Closing Comment

by:RDM1776
Comment Utility
Clearest answer yet! Thank you
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now