How to Configure NTP authentication between Junos devices and FreeBSD NTP server

So I am now subject of the latest NTP DDoS attack. I have been reading NTP.CONF(5) manpages and so far have managed a few lines in the ntp.conf file on my server such as:

restrict aaa.bbb.ccc.0 mask nomodify notrap
restrict ddd.eee.fff.0 mask nomodify notrap nopeer

where the top line signifies my network infrastructure and the bottom line are hosts that go through the network.

1. Is there a way to have network infrastructure use a password and NOT the other devices?
2. Are these lines like an access list where I can add "restrict default ignore" at the bottom for everyone else to be rejected?
3. Do I need to add the ntp.pool servers to that list as well, and how if all I have is the "ntp.pool"?

Who is Participating?
Brian UtterbackConnect With a Mentor Principle Software EngineerCommented:
Getting the restrict lines correct is tricky. I always recommend getting everything running without any restrict lines and then adding the lines, one keyword at a time, checking along the way that everything still works.

So, you are correct. Simply adding  lines that say

restrict default noquery
restrict -6 default noquery

will stop your server from being used in a DDOS attack.

The line

disable monitor

doesn't do quite the same thing. What it does is disables the server from gathering the data that the amplification attack uses. The attack simply requests a list of all the servers clients but spoofs the source IP address of the request so that the response goes to a different system, the victim. Since most servers have many clients, the list can be many packets long, hence the amplification. The "disable monitor" line tells the server to not bother even keeping a list, so when the request is made the response is only a single packet and no amplification has occurred. This is the least obtrusive method of preventing the attack since it keeps all of the other query commands available. On the other hand, you might want to be able to get the list yourself, so using the restrict lines above along with one that says "restrict" with no keywords might be better for you since it blocks all queries from other systems but allows queries from the same system to work normally.
Brian UtterbackPrinciple Software EngineerCommented:
The rev numbers for ntp would be helpful if available.

I am not sure what you exactly mean by question 1. NTP can be configured to use a password, if that is what you are asking, but it is not useful for stopping DDOS attacks, it is only useful for authenticating clients for writing configuration to the server and for authenticating servers to prove that you are getting time from a server you trust.

Yes the restrict lines are access lists, but the ordering is not important. The internal ordering is done by how closely the match is. That is, the IP address of a packet is matched against all of the restrict lines and if any match, the one whose mask parameter has the most ones is used. The default is taken to match all IP addresses, but uses a mask with no ones, so there is always a match if default has been given, but it is always the last choice.

The answer to your last question is version dependent. If you have a version of NTP that supports it, you can use the "source" keyword for the restrict configuration line. You use it just like "default" and it matches the IP address of any configured server. If you do not have a version that supports it you will probably need to be a little less restrictive in you default restrict line. You will need a set of keywords that will prevent the DDOS attack but still allow NTP to get time. The only keyword you absolutely need to prevent the DDOS is "noquery".

One more thing, you should also add a line for localhost, allowing full access locally. If you use both IPv4 and IPv6, you will need two lines:

restrict ::1
RDM1776Author Commented:
Dear blu,

The question to #1 is can I have ntp have a password for  device a.b.c.d/24 but not for another in the same network? But if you say that is has nothing to do with DDoS, then I'm not going to use it.

My example shows really IP networks in my domain, where:

restrict aaa.bbb.ccc.0 mask nomodify notrap
- this is infrastructure H/W, like some servers, routers, switches, firewalls
restrict ddd.eee.fff.0 mask nomodify notrap nopeer
- these are customer hosts

= are these sufficient, or what else would you add?

Qestion 2-- I get it.

Main point is Q3, my versions:


when I query ntpq, the version is 4.2.4p5-a (1)

So I don't know if that is good or bad (I'm not savy on updating an application in FreeBSD)

How would i use the "noquery"? I really only want my known devices to be able to query, so how would I set noquery except "my network devices"?

>>one more thing, I saw on another site here

There are several ways, but having a basic 'restrict' statement in your
config like this will help mitigate this attack:

restrict default noquery nomodify notrap nopeer
restrict -6 default noquery nomodify notrap nopeer

I believe the key command is 'noquery' which means that the server can't
be queried for information (it does NOT affect the server's ability to
respond to time requests).

Is that the case? It will not affect time requests, just queries for info? And if this is true, then it might be best to JUST have those two lines rather than the specific network devices/hosts?

does this do the same:

# disable monitor queries
disable monitor

Open in new window

RDM1776Author Commented:
Clearest answer yet! Thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.