OpenNTPProject.org

• Previous message (by thread): OpenNTPProject.org
• Next message (by thread): OpenNTPProject.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 13 Jan 2014, at 21:13 , Derek Andrew <Derek.Andrew at usask.ca> wrote:

> nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP

Make that “all server IPs” if on different subnets, address families, ...


> On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch <jared at puck.nether.net> wrote:
> 
>> 4) Please prevent packet spoofing where possible on your network.  This
>> will limit the impact of spoofed NTP or DNS (amongst others) packets from
>> impacting the broader community.

BCP38!  I am always surprised when people need crypto if they fail the simple things.


>> 5) Some vendors don’t have an easy way to alter the ntp configuration, or
>> have not or won’t be updating NTP, you may need to use ACLs, firewall
>> filters, or other methods to block this traffic.  I’ve heard of many
>> routers being used in attacks impacting the CPU usage.
>> 
>> Take a moment and see if your devices respond to the following
>> query/queries:
>> 
>> ntpdc -n -c monlist 10.0.0.1
>> ntpdc -n -c loopinfo 10.0.0.1
>> ntpdc -n -c iostats 10.0.0.1

And no matter if you use the above nmap or these instructions to check, also check your IPv6 addresses!
You need 'restrict -6 default ignore' lines or similar as well, not just a restrict default ignore. 


— 
Bjoern A. Zeeb                             ????????? ??? ??????? ??????:
'??? ??? ???? ??????  ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
?????? ?? ????? ????',  ????????? ?????????, "??? ????? ?? ?????", ?.???

• Previous message (by thread): OpenNTPProject.org
• Next message (by thread): OpenNTPProject.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]