How to Configure NTP authentication between Junos devices and FreeBSD NTP server

Posted on 2014-01-22
Last Modified: 2016-02-11
So I am now subject of the latest NTP DDoS attack. I have been reading NTP.CONF(5) manpages and so far have managed a few lines in the ntp.conf file on my server such as:

restrict aaa.bbb.ccc.0 mask nomodify notrap
restrict ddd.eee.fff.0 mask nomodify notrap nopeer

where the top line signifies my network infrastructure and the bottom line are hosts that go through the network.

1. Is there a way to have network infrastructure use a password and NOT the other devices?
2. Are these lines like an access list where I can add "restrict default ignore" at the bottom for everyone else to be rejected?
3. Do I need to add the ntp.pool servers to that list as well, and how if all I have is the "ntp.pool"?

Question by:RDM1776
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 22

Expert Comment

ID: 39800303
The rev numbers for ntp would be helpful if available.

I am not sure what you exactly mean by question 1. NTP can be configured to use a password, if that is what you are asking, but it is not useful for stopping DDOS attacks, it is only useful for authenticating clients for writing configuration to the server and for authenticating servers to prove that you are getting time from a server you trust.

Yes the restrict lines are access lists, but the ordering is not important. The internal ordering is done by how closely the match is. That is, the IP address of a packet is matched against all of the restrict lines and if any match, the one whose mask parameter has the most ones is used. The default is taken to match all IP addresses, but uses a mask with no ones, so there is always a match if default has been given, but it is always the last choice.

The answer to your last question is version dependent. If you have a version of NTP that supports it, you can use the "source" keyword for the restrict configuration line. You use it just like "default" and it matches the IP address of any configured server. If you do not have a version that supports it you will probably need to be a little less restrictive in you default restrict line. You will need a set of keywords that will prevent the DDOS attack but still allow NTP to get time. The only keyword you absolutely need to prevent the DDOS is "noquery".

One more thing, you should also add a line for localhost, allowing full access locally. If you use both IPv4 and IPv6, you will need two lines:

restrict ::1

Author Comment

ID: 39801155
Dear blu,

The question to #1 is can I have ntp have a password for  device a.b.c.d/24 but not for another in the same network? But if you say that is has nothing to do with DDoS, then I'm not going to use it.

My example shows really IP networks in my domain, where:

restrict aaa.bbb.ccc.0 mask nomodify notrap
- this is infrastructure H/W, like some servers, routers, switches, firewalls
restrict ddd.eee.fff.0 mask nomodify notrap nopeer
- these are customer hosts

= are these sufficient, or what else would you add?

Qestion 2-- I get it.

Main point is Q3, my versions:


when I query ntpq, the version is 4.2.4p5-a (1)

So I don't know if that is good or bad (I'm not savy on updating an application in FreeBSD)

How would i use the "noquery"? I really only want my known devices to be able to query, so how would I set noquery except "my network devices"?

>>one more thing, I saw on another site here

There are several ways, but having a basic 'restrict' statement in your
config like this will help mitigate this attack:

restrict default noquery nomodify notrap nopeer
restrict -6 default noquery nomodify notrap nopeer

I believe the key command is 'noquery' which means that the server can't
be queried for information (it does NOT affect the server's ability to
respond to time requests).

Is that the case? It will not affect time requests, just queries for info? And if this is true, then it might be best to JUST have those two lines rather than the specific network devices/hosts?

does this do the same:

# disable monitor queries
disable monitor

Open in new window

LVL 22

Accepted Solution

blu earned 500 total points
ID: 39801335
Getting the restrict lines correct is tricky. I always recommend getting everything running without any restrict lines and then adding the lines, one keyword at a time, checking along the way that everything still works.

So, you are correct. Simply adding  lines that say

restrict default noquery
restrict -6 default noquery

will stop your server from being used in a DDOS attack.

The line

disable monitor

doesn't do quite the same thing. What it does is disables the server from gathering the data that the amplification attack uses. The attack simply requests a list of all the servers clients but spoofs the source IP address of the request so that the response goes to a different system, the victim. Since most servers have many clients, the list can be many packets long, hence the amplification. The "disable monitor" line tells the server to not bother even keeping a list, so when the request is made the response is only a single packet and no amplification has occurred. This is the least obtrusive method of preventing the attack since it keeps all of the other query commands available. On the other hand, you might want to be able to get the list yourself, so using the restrict lines above along with one that says "restrict" with no keywords might be better for you since it blocks all queries from other systems but allows queries from the same system to work normally.

Author Closing Comment

ID: 39801353
Clearest answer yet! Thank you

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question