Pete Ashdown pashdown at
Sun Feb 16 18:29:17 UTC 2014

Just in case you run a legitimate open NTP server, this iptable stanza
helps immensely:

## rate limit ntp
$IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name
ntpv4 --rsource -j BLACKHOLE
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name
ntpv4blackhole --rsource -j DROP
$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP

I've found that blocking TCP destination NTP to client servers/networks
blocks legitimate NTP synchronization for their clients.   Although I
wish they'd all just use my on-network NTP server, I can't assume they
will.  Does anyone have a list or source of pool and vendor
(Apple/Microsoft/etc) servers so I can permit based on source before
blocking based on destination port?

More information about the NANOG mailing list