OpenNTPProject.org

Brian Rak brak at gameservers.com
Mon Feb 17 02:38:06 UTC 2014


Seriously, just fix your configuration.  The part of NTP being abused is 
completely unrelated to actually synchronizing time.  It's a management 
query, that has no real reason to be enabled remotely. You don't even 
need to resort to iptables for this, because NTPD has built in rate 
limiting (which isn't enabled for management queries, but those are 
trivial to disable).

$ ntpdc -c monlist -n clock.xmission.com
remote address          port local address      count m ver code avgint  
lstint
===============================================================================
173.209.207.233        42422 198.60.22.240       4727 3 3 0      0       0
24.155.184.100         45285 198.60.22.240         11 3 4 0      6       0
107.0.41.2             48625 198.60.22.240        264 3 4 0      5       0
67.108.239.31          40642 198.60.22.240      77084 3 3 0      0       0
177.65.149.237         62212 198.60.22.240       1085 3 1 0      0       0
209.64.161.162         44786 198.60.22.240         19 3 4 0      7       0
103.7.36.38            51618 198.60.22.240          4 3 3 0      8       0
173.209.207.218        50616 198.60.22.240       4731 3 3 0      0       0
69.61.203.25           20766 198.60.22.240      16379 3 4 0      1       0
68.188.251.223           478 198.60.22.240          2 1 3 0      0       0
75.82.183.104            123 198.60.22.240          1 3 4 0      0       0
63.64.124.129          52839 198.60.22.240     150867 3 4 0      0       0
65.201.33.150            151 198.60.22.240        393 3 2 0      3       0
124.228.119.105        24687 198.60.22.240         31 3 3 0      4       0
64.191.150.130           319 198.60.22.240    4494361 3 2 0      0       0
76.102.124.27            123 198.60.22.240          2 3 4 0      0       0
72.235.200.183           123 198.60.22.240          1 3 4 0      0       0
50.73.42.121           10398 198.60.22.240         11 3 3      0 14       0
63.64.124.144          26984 198.60.22.240    5823740 3 4 0      0       0
71.5.8.194             44699 198.60.22.240          3 3 4 0      0       0
143.112.64.2            1320 198.60.22.240        182 1 3 0      6       0
72.235.19.125            123 198.60.22.240          1 3 4 0      0       0
198.237.66.2           10471 198.60.22.240        499 3 3 0      3       0
12.108.21.226            357 198.60.22.240         10 1 3      0 14       0
174.47.116.250           463 198.60.22.240         24 3 4 0      5       0
72.1.71.73               738 198.60.22.240         19 3 3 0      8       0
67.136.57.10            1026 198.60.22.240        243 3 3 0      5       0
64.199.163.5             306 198.60.22.240        231 3 4 0      4       0
70.77.76.153           32188 198.60.22.240          1 3 4 0      0       0

There is no excuse to still be running a NTP server with monlist 
enabled.  Fix your configuration, and you don't need IPTables rules.



On 2/16/2014 1:29 PM, Pete Ashdown wrote:
> Just in case you run a legitimate open NTP server, this iptable stanza
> helps immensely:
>
> ## rate limit ntp
> $IPTABLES -N NTP
> $IPTABLES -N BLACKHOLE
> $IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
> $IPTABLES -A BLACKHOLE -j DROP
> $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name
> ntpv4 --rsource -j BLACKHOLE
> $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name
> ntpv4blackhole --rsource -j DROP
> $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
> $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP
>
>
> I've found that blocking TCP destination NTP to client servers/networks
> blocks legitimate NTP synchronization for their clients.   Although I
> wish they'd all just use my on-network NTP server, I can't assume they
> will.  Does anyone have a list or source of pool and vendor
> (Apple/Microsoft/etc) servers so I can permit based on source before
> blocking based on destination port?
>
>




More information about the NANOG mailing list