Re: OpenNTPProject.org

["Bjoern A. Zeeb" <bzeeb-lists () lists zabbadoz net>]

On 13 Jan 2014, at 21:13 , Derek Andrew <Derek.Andrew () usask ca> wrote:

> nmap -sU -pU:123 -Pn -n --script=ntp-monlist serverIP

Make that “all server IPs” if on different subnets, address families, ...


> On Mon, Jan 13, 2014 at 3:07 PM, Jared Mauch <jared () puck nether net> wrote:
>
> > 4) Please prevent packet spoofing where possible on your network.  This
> > will limit the impact of spoofed NTP or DNS (amongst others) packets from
> > impacting the broader community.

BCP38!  I am always surprised when people need crypto if they fail the simple things.


> > 5) Some vendors don’t have an easy way to alter the ntp configuration, or
> > have not or won’t be updating NTP, you may need to use ACLs, firewall
> > filters, or other methods to block this traffic.  I’ve heard of many
> > routers being used in attacks impacting the CPU usage.
> >
> > Take a moment and see if your devices respond to the following
> > query/queries:
> >
> > ntpdc -n -c monlist 10.0.0.1
> > ntpdc -n -c loopinfo 10.0.0.1
> > ntpdc -n -c iostats 10.0.0.1

And no matter if you use the above nmap or these instructions to check, also check your IPv6 addresses!
You need 'restrict -6 default ignore' lines or similar as well, not just a restrict default ignore. 


— 
Bjoern A. Zeeb                             ????????? ??? ??????? ??????:
'??? ??? ???? ??????  ??????? ?? ?? ??????? ??????? ??? ????? ????? ????
?????? ?? ????? ????',  ????????? ?????????, "??? ????? ?? ?????", ?.???