# DRDoS with net-misc/ntp

## ChrisJumper

DRDoS Amplification Attack Using ntpdc monlist command

NTP users are strongly urged to take immediate action to ensure that their NTP daemon is not susceptible to use in a reflected denial-of-service (DRDoS) attack.

http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using

Since there is no 4.2.6_p26 in portage, and you run an open ntp server (ntpd for sharing your time) you should disable the monitor function in your servers 

Edit /etc/ntp.conf and add

```

disable monitor

restrict noquery
```

then restart your Server.

http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict

 *Quote:*   

> 
> 
> disable
> 
> disable [auth | bclient | calibrate | kernel | monitor | ntp | pps | stats]
> ...

 

 *Quote:*   

> 
> 
> restrict address [mask mask] [flag][...]
> 
>     The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.
> ...

 

Check out

support.ntp.org - Access Restrictions for extensive Settings about Access Restrictions

or

support.ntp.org - ConfiguringAutokey describe a method to use a Key on your server and your clients to authenticate themselves.

----------

## gotyaoi

According to the notice, you could use either

```
restrict noquery
```

 or 

```
disable monitor
```

to mitigate this, and If I recall correctly, the default ntp.conf includes 

```
restrict default nomodify nopeer noquery limited kod
```

so unless you've changed that, you're good. It also looks like the 4.2.7 series is the development version, so that will probably make it into the tree when it's more stable.

----------

## kadrim

 *gotyaoi wrote:*   

> to mitigate this, and If I recall correctly, the default ntp.conf includes 
> 
> ```
> restrict default nomodify nopeer noquery limited kod
> ```
> ...

 

alas, this is not the Default ntp.conf (checked 3 Servers where i never changed this).

so you would have to add noquery yourself.

EDIT: correction: it is the new Default as per Version ntp-4.2.6_p5-r10 (01 Jan 2014)

----------

## kernelOfTruth

thanks for the heads up !

haven't updated & used ntp in a while, will do so now   :Smile: 

----------

## aevertett

I have recently completed a couple of security scans on our in-house GPS referenced NTP network time server and all reported that we should update to NTP 4.2.7 in order to solve the DRDoS amplification attack using ntpdc monlist command issue. However, I have noticed that the latest production version of NTP is 4.2.6 and that NTP 4.2.7 is only a development version. I feel uncomfortable with updating to a development version of NTP - has anyone else had similar issues ? We're using a GPS NTP Server from TimeTools.

Regards, Eve

----------

## kernelOfTruth

 *ChrisJumper wrote:*   

> Since there is no 4.2.6_p26 in portage, and you run an open ntp server (ntpd for sharing your time) you should disable the monitor function in your servers 
> 
> Edit /etc/ntp.conf and add
> 
> ```
> ...

 

https://portal.cert.dfn.de/adv/DFN-CERT-2014-0017/

 *Quote:*   

> Workaround
> 
> Wenn ein Update auf Version 4.2.7 oder höher nicht möglich ist, kann auch die Option "noquery" in der Konfigurationsdatei gesetzt werden, die nach einem Neustart des Dienstes wirksam wird und eine Verarbeitung der Anfrage unterbindet.
> 
> 

 

so if the noquery setting is an Option in your setup you don't need to go to the unstable/development branch of ntp

----------

