Fwd: port 123 reflection attacks

Randy Bush randy at psg.com
Thu Dec 31 02:16:07 UTC 2015

> - be sure ntpd is properly configured

to be explicit, test it

     % ntpdc -n -c monlist psg.com    
     psg.com: timed out, nothing received
     ***Request timed out

this is the desired result.  any real response means the host is open
to be a reflector

fwiw, i got caught last week.  a debien vm had been brought up using
dhcp, and the /var/lib/ntp/ntp.conf.dhcp was still there after the host
was reconfigured to static.  took me a while to find it.  embarrassing.
my ntp.yml playbook now has as it's first task

    - name: remove dhcpd artifact
      file: path=/var/lib/ntp/ntp.conf.dhcp state=absent


More information about the NANOG mailing list