How to Configure NTP authentication between Junos devices and FreeBSD NTP server

Posted on 2014-01-22
Last Modified: 2016-02-11
So I am now subject of the latest NTP DDoS attack. I have been reading NTP.CONF(5) manpages and so far have managed a few lines in the ntp.conf file on my server such as:

restrict aaa.bbb.ccc.0 mask nomodify notrap
restrict ddd.eee.fff.0 mask nomodify notrap nopeer

where the top line signifies my network infrastructure and the bottom line are hosts that go through the network.

1. Is there a way to have network infrastructure use a password and NOT the other devices?
2. Are these lines like an access list where I can add "restrict default ignore" at the bottom for everyone else to be rejected?
3. Do I need to add the ntp.pool servers to that list as well, and how if all I have is the "ntp.pool"?

Question by:RDM1776
  • 2
  • 2
LVL 22

Expert Comment

ID: 39800303
The rev numbers for ntp would be helpful if available.

I am not sure what you exactly mean by question 1. NTP can be configured to use a password, if that is what you are asking, but it is not useful for stopping DDOS attacks, it is only useful for authenticating clients for writing configuration to the server and for authenticating servers to prove that you are getting time from a server you trust.

Yes the restrict lines are access lists, but the ordering is not important. The internal ordering is done by how closely the match is. That is, the IP address of a packet is matched against all of the restrict lines and if any match, the one whose mask parameter has the most ones is used. The default is taken to match all IP addresses, but uses a mask with no ones, so there is always a match if default has been given, but it is always the last choice.

The answer to your last question is version dependent. If you have a version of NTP that supports it, you can use the "source" keyword for the restrict configuration line. You use it just like "default" and it matches the IP address of any configured server. If you do not have a version that supports it you will probably need to be a little less restrictive in you default restrict line. You will need a set of keywords that will prevent the DDOS attack but still allow NTP to get time. The only keyword you absolutely need to prevent the DDOS is "noquery".

One more thing, you should also add a line for localhost, allowing full access locally. If you use both IPv4 and IPv6, you will need two lines:

restrict ::1

Author Comment

ID: 39801155
Dear blu,

The question to #1 is can I have ntp have a password for  device a.b.c.d/24 but not for another in the same network? But if you say that is has nothing to do with DDoS, then I'm not going to use it.

My example shows really IP networks in my domain, where:

restrict aaa.bbb.ccc.0 mask nomodify notrap
- this is infrastructure H/W, like some servers, routers, switches, firewalls
restrict ddd.eee.fff.0 mask nomodify notrap nopeer
- these are customer hosts

= are these sufficient, or what else would you add?

Qestion 2-- I get it.

Main point is Q3, my versions:


when I query ntpq, the version is 4.2.4p5-a (1)

So I don't know if that is good or bad (I'm not savy on updating an application in FreeBSD)

How would i use the "noquery"? I really only want my known devices to be able to query, so how would I set noquery except "my network devices"?

>>one more thing, I saw on another site here

There are several ways, but having a basic 'restrict' statement in your
config like this will help mitigate this attack:

restrict default noquery nomodify notrap nopeer
restrict -6 default noquery nomodify notrap nopeer

I believe the key command is 'noquery' which means that the server can't
be queried for information (it does NOT affect the server's ability to
respond to time requests).

Is that the case? It will not affect time requests, just queries for info? And if this is true, then it might be best to JUST have those two lines rather than the specific network devices/hosts?

does this do the same:

# disable monitor queries
disable monitor

Open in new window

LVL 22

Accepted Solution

blu earned 500 total points
ID: 39801335
Getting the restrict lines correct is tricky. I always recommend getting everything running without any restrict lines and then adding the lines, one keyword at a time, checking along the way that everything still works.

So, you are correct. Simply adding  lines that say

restrict default noquery
restrict -6 default noquery

will stop your server from being used in a DDOS attack.

The line

disable monitor

doesn't do quite the same thing. What it does is disables the server from gathering the data that the amplification attack uses. The attack simply requests a list of all the servers clients but spoofs the source IP address of the request so that the response goes to a different system, the victim. Since most servers have many clients, the list can be many packets long, hence the amplification. The "disable monitor" line tells the server to not bother even keeping a list, so when the request is made the response is only a single packet and no amplification has occurred. This is the least obtrusive method of preventing the attack since it keeps all of the other query commands available. On the other hand, you might want to be able to get the list yourself, so using the restrict lines above along with one that says "restrict" with no keywords might be better for you since it blocks all queries from other systems but allows queries from the same system to work normally.

Author Closing Comment

ID: 39801353
Clearest answer yet! Thank you

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now