Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to Configure NTP authentication between Junos devices and FreeBSD NTP server

Posted on 2014-01-22
Medium Priority
Last Modified: 2016-02-11
So I am now subject of the latest NTP DDoS attack. I have been reading NTP.CONF(5) manpages and so far have managed a few lines in the ntp.conf file on my server such as:

restrict aaa.bbb.ccc.0 mask nomodify notrap
restrict ddd.eee.fff.0 mask nomodify notrap nopeer

where the top line signifies my network infrastructure and the bottom line are hosts that go through the network.

1. Is there a way to have network infrastructure use a password and NOT the other devices?
2. Are these lines like an access list where I can add "restrict default ignore" at the bottom for everyone else to be rejected?
3. Do I need to add the ntp.pool servers to that list as well, and how if all I have is the "ntp.pool"?

Question by:RDM1776
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 22

Expert Comment

ID: 39800303
The rev numbers for ntp would be helpful if available.

I am not sure what you exactly mean by question 1. NTP can be configured to use a password, if that is what you are asking, but it is not useful for stopping DDOS attacks, it is only useful for authenticating clients for writing configuration to the server and for authenticating servers to prove that you are getting time from a server you trust.

Yes the restrict lines are access lists, but the ordering is not important. The internal ordering is done by how closely the match is. That is, the IP address of a packet is matched against all of the restrict lines and if any match, the one whose mask parameter has the most ones is used. The default is taken to match all IP addresses, but uses a mask with no ones, so there is always a match if default has been given, but it is always the last choice.

The answer to your last question is version dependent. If you have a version of NTP that supports it, you can use the "source" keyword for the restrict configuration line. You use it just like "default" and it matches the IP address of any configured server. If you do not have a version that supports it you will probably need to be a little less restrictive in you default restrict line. You will need a set of keywords that will prevent the DDOS attack but still allow NTP to get time. The only keyword you absolutely need to prevent the DDOS is "noquery".

One more thing, you should also add a line for localhost, allowing full access locally. If you use both IPv4 and IPv6, you will need two lines:

restrict ::1

Author Comment

ID: 39801155
Dear blu,

The question to #1 is can I have ntp have a password for  device a.b.c.d/24 but not for another in the same network? But if you say that is has nothing to do with DDoS, then I'm not going to use it.

My example shows really IP networks in my domain, where:

restrict aaa.bbb.ccc.0 mask nomodify notrap
- this is infrastructure H/W, like some servers, routers, switches, firewalls
restrict ddd.eee.fff.0 mask nomodify notrap nopeer
- these are customer hosts

= are these sufficient, or what else would you add?

Qestion 2-- I get it.

Main point is Q3, my versions:


when I query ntpq, the version is 4.2.4p5-a (1)

So I don't know if that is good or bad (I'm not savy on updating an application in FreeBSD)

How would i use the "noquery"? I really only want my known devices to be able to query, so how would I set noquery except "my network devices"?

>>one more thing, I saw on another site here

There are several ways, but having a basic 'restrict' statement in your
config like this will help mitigate this attack:

restrict default noquery nomodify notrap nopeer
restrict -6 default noquery nomodify notrap nopeer

I believe the key command is 'noquery' which means that the server can't
be queried for information (it does NOT affect the server's ability to
respond to time requests).

Is that the case? It will not affect time requests, just queries for info? And if this is true, then it might be best to JUST have those two lines rather than the specific network devices/hosts?

does this do the same:

# disable monitor queries
disable monitor

Open in new window

LVL 22

Accepted Solution

blu earned 2000 total points
ID: 39801335
Getting the restrict lines correct is tricky. I always recommend getting everything running without any restrict lines and then adding the lines, one keyword at a time, checking along the way that everything still works.

So, you are correct. Simply adding  lines that say

restrict default noquery
restrict -6 default noquery

will stop your server from being used in a DDOS attack.

The line

disable monitor

doesn't do quite the same thing. What it does is disables the server from gathering the data that the amplification attack uses. The attack simply requests a list of all the servers clients but spoofs the source IP address of the request so that the response goes to a different system, the victim. Since most servers have many clients, the list can be many packets long, hence the amplification. The "disable monitor" line tells the server to not bother even keeping a list, so when the request is made the response is only a single packet and no amplification has occurred. This is the least obtrusive method of preventing the attack since it keeps all of the other query commands available. On the other hand, you might want to be able to get the list yourself, so using the restrict lines above along with one that says "restrict" with no keywords might be better for you since it blocks all queries from other systems but allows queries from the same system to work normally.

Author Closing Comment

ID: 39801353
Clearest answer yet! Thank you

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question