nanog mailing list archives
Re: OpenNTPProject.org
From: "Bjoern A. Zeeb" <bzeeb-lists () lists zabbadoz net>
Date: Mon, 13 Jan 2014 21:33:14 +0000
On 13 Jan 2014, at 21:13 , Derek Andrew <Derek.Andrew () usask ca> wrote:
nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP
Make that “all server IPs” if on different subnets, address families, ...
On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch <jared () puck nether net> wrote:4) Please prevent packet spoofing where possible on your network. This will limit the impact of spoofed NTP or DNS (amongst others) packets from impacting the broader community.
BCP38! I am always surprised when people need crypto if they fail the simple things.
5) Some vendors don’t have an easy way to alter the ntp configuration, or have not or won’t be updating NTP, you may need to use ACLs, firewall filters, or other methods to block this traffic. I’ve heard of many routers being used in attacks impacting the CPU usage. Take a moment and see if your devices respond to the following query/queries: ntpdc -n -c monlist 10.0.0.1 ntpdc -n -c loopinfo 10.0.0.1 ntpdc -n -c iostats 10.0.0.1
And no matter if you use the above nmap or these instructions to check, also check your IPv6 addresses! You need 'restrict -6 default ignore' lines or similar as well, not just a restrict default ignore. — Bjoern A. Zeeb ????????? ??? ??????? ??????: '??? ??? ???? ?????? ??????? ?? ?? ??????? ??????? ??? ????? ????? ???? ?????? ?? ????? ????', ????????? ?????????, "??? ????? ?? ?????", ?.???
Current thread:
- OpenNTPProject.org Jared Mauch (Jan 13)
- Re: OpenNTPProject.org Tony Finch (Jan 14)
- <Possible follow-ups>
- Re: OpenNTPProject.org Derek Andrew (Jan 13)
- Re: OpenNTPProject.org Bjoern A. Zeeb (Jan 13)
- Re: OpenNTPProject.org Saku Ytti (Jan 13)
- Re: OpenNTPProject.org Paul Ferguson (Jan 14)
- Re: OpenNTPProject.org Pierre Lamy (Jan 16)
- Re: OpenNTPProject.org Mark Andrews (Jan 16)
- Re: OpenNTPProject.org Bjoern A. Zeeb (Jan 13)
- Re: OpenNTPProject.org Damian Menscher (Jan 14)
- Re: OpenNTPProject.org Saku Ytti (Jan 14)
- Re: OpenNTPProject.org Dobbins, Roland (Jan 16)
- Re: OpenNTPProject.org Saku Ytti (Jan 16)
- Re: OpenNTPProject.org Dobbins, Roland (Jan 16)
- Re: OpenNTPProject.org Nicolai (Jan 15)